tags:

views:

33

answers:

2
Q: 

In tools like tcpdump, when exactly are the network packets captured?

One of the tools I am using uses encryption/decryption to send out data over the network. I am modifying the tool and I need to be sure that the data is actually being sent in an encrypted form.

Are Wireshark and tcpdump the right tools for the purpose? At which point during the transfer do they capture the network packets?

+2  A: 

Both of those tools capture the data exactly as it goes out over the wire. (Think of it as sort of the equivalent of "tee" for output that's going to screen as well as to file; here too, the same data goes to the socket as well as to tcpdump or whatever.)

So yes, if your tool is configured correctly to encrypt the data before sending it, then tcpdump or Wireshark should reflect that in their packet captures.

Alex  2010-09-02 15:11:42
While this is a perfectly good answer for the specific question, these tools actually capture the packet as it's delivered to the network adaptor, not as it goes onto the wire. This means that everything the network adaptor does (which used to be just MAC FCS, but is now usually IP/UDP/TCP checksums as well) does not get captured properly.
Will Dean  2010-09-02 15:20:01
@Will Dean: Do adapters really modify IP and higher level checksums? That's a surprise to me, do you have a reference?
GregS  2010-09-03 01:06:52
@GregS - An Intel datasheet for a modern Ethernet controller chip would give you all the gore, but if it's just a matter of not believing me, then http://www.wireshark.org/faq.html#q11.1 should set your mind at ease...
Will Dean  2010-09-03 10:44:47
@GregS - Here you go: http://download.intel.com/design/network/datashts/82541er.pdf - that's a part which can do TCP segmentation too, so the relationship between the bottom of the software stack and the wire will be even more tenuous
Will Dean  2010-09-03 10:47:14
@Will Dean: Thanks for those links. Looks like ethernet adapters are getting to look more like network processors; pretty cool.
GregS  2010-09-03 11:46:03
+1  A: 

Yes, those are the right tools. Wireshark will identify TLS and SSL packets, if that's what you are using for encryption. You can provide Wireshark with the server's private key and decrypt the traffic if necessary (except for ephemeral modes like DHE and ECDHE).

erickson  2010-09-02 15:12:15

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords