Capturing traffic in Ziti: End to End encryption

This maybe related to this post but I was wanting to demonstrate the encryption provided by a Ziti tunnel. I had a netcat service in place where my client connected to the server via the fabric and was able to send text back and forth between client and server. However, reviewing the captured traffic (from the client side) in Wireshark, I was still able to see the data payload, not encrypted as I was expecting. Watching the video, it kind of made sense from an application perspective but I am wondering where then would I have to capture the traffic to see the data being obfuscated, or maybe I am misunderstanding and have my setup completely wrong?

Thanks!

Yes, that video is very relevant. In fact at around 5:40 in, me and Ken cover that "if you're on the local machine, you can sniff that traffic". The "browser->tunneler" part of this diagram:

I suspect you were observing the traffic from your local IP to the TUN IP. so something like 192.168.1.50 --> 100.64.0.3. If that's the case, you have discovered "the problem" with ZTHA and insecure protocols. The traffic IS observable on the local interface in that way. Once the traffic enters the tunneler is when the traffic will become encrypted. So watching the traffic from your computer, through your local router, out to the internet, that will all be encrypted.

Do note that on the 'far' side, when you offload your end-to-end-encrypted (e2ee) traffic, it'll also be visible on the very far side too.

Referring back to the ZTHA diagram:


That's why the "zero trust zone" basically starts when your traffic leaves your computer. The local device is absolutely able to have the traffic captured but it's only the traffic on that local computer, before it actually leaves your host network and enters your local network (LAN).

Hopefully that makes sense! Cheers!