How to record traffic which is inside a VPN?

9

1

I connect to a server over a VPN connection and it is only reachable over this connection. While I'm exchanging packets I want to basically see what kind of packets are exchanged and how the server reacts when it gets "wrong" packets. So I need to look into the VPN connection. When I tried this with Wireshark on Debian I only was able to see TCP packets. Do you know if this works with Wireshark? How? What other tool to record (and maybe modify) the traffic should I use?

qbi

Posted 2015-02-24T16:01:15.327

Reputation: 591

Answers

13

Sure. Just tell Wireshark to monitor the VPN interface, not the actual Ethernet/WiFi one.

Each packet gets routed to a specific network interface. Most correspond to physical network cards; there's a "loopback" one for 127.0.0.1 as well.

When you connect to a VPN, the software creates a virtual network interface, assigns it an IP address, and so on. (Usually a 'tun' or 'tap' device, though it's not always named such... I'm pretty sure vpnc uses 'tun'.)

Packets routed over that interface are sent to the VPN client, which encrypts them and sends inside new packets to the VPN server, which then get routed to the real WiFi device.

So whether you're trying to generate traffic, receive it, or monitor it, there's really no distinction between "inside" traffic and "outside" traffic, they just go through different devices, and you didn't tell Wireshark which one to capture on.

user1686

Posted 2015-02-24T16:01:15.327

Reputation: 283 655

1Check your ifconfig or similar to see what interface has the expected VPN IP on it... that should give you some hints. – BowlesCR – 2015-02-24T16:45:23.803

Can I use tcpdump instead of wireshark ? – Vikram – 2016-06-28T10:08:43.000

Asked: 2015-02-24T16:01:15.327

Viewed: 19 987 times

Active: 2015-02-24T16:47:33.687