I connect to a server over a VPN connection and it is only reachable over this connection. While I'm exchanging packets I want to basically see what kind of packets are exchanged and how the server reacts when it gets "wrong" packets. So I need to look into the VPN connection. When I tried this with Wireshark on Debian I only was able to see TCP packets. Do you know if this works with Wireshark? How? What other tool to record (and maybe modify) the traffic should I use?
Asked
Active
Viewed 4.9k times
2 Answers
19
Sure. Just tell Wireshark to monitor the VPN interface, not the actual Ethernet/WiFi one.
Each packet gets routed to a specific network interface. Most correspond to physical network cards; there's a "loopback" one for 127.0.0.1 as well.
When you connect to a VPN, the software creates a virtual network interface, assigns it an IP address, and so on. (Usually a 'tun' or 'tap' device, though it's not always named such... I'm pretty sure vpnc uses 'tun'.)
Packets routed over that interface are sent to the VPN client, which encrypts them and sends inside new packets to the VPN server, which then get routed to the real WiFi device.
So whether you're trying to generate traffic, receive it, or monitor it, there's really no distinction between "inside" traffic and "outside" traffic, they just go through different devices, and you didn't tell Wireshark which one to capture on.
grawity
- 501,077
3
If you're on a Mac and Wireshark can't capture the traffic, you can use the MacOS version of tcpdump with the special iptap interface option you can capture traffic e.g. if your VPN is using tun1
sudo tcpdump -i iptap,tun1
Pierz
- 2,169