Wireshark-users: Re: [Wireshark-users] Sniffing Cisco VPN packets

Date: Wed, 16 May 2007 09:39:08 -0400
Hi,

Usually to solve a potential network issue you'll prefer to capture the frames before they are encrypted. But if you want to see the IPSec frames or the tunnel, I usually place a hub on the link of the PC I want to capture and use a laptop running Wireshark and capture promiscuously.

Regards.

===========================================
André Noël
Analyste principal - protocoles
Bell Canada / Groupe Exploitation

-----Message d'origine-----
De : wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] De la part de Ulf Lamping
Envoyé : May 16, 2007 1:27
À : George A. Kantsios; Community support list for Wireshark
Objet : Re: [Wireshark-users] Sniffing Cisco VPN packets

George A. Kantsios wrote:
> Need a little help and appreciate any guidance and direction you can offer.  I am trying to sniff packets before and after a cisco VPN adapter on a Windows XP box. When I sniff the VPN adapter I see the unencrypted packets.  When I sniff the physical network device, I get almost no traffic, even when I send a huge file over the network?  Why can't I see the encrypted packets
Well, given the fact that there were lot's of problems with VPN software 
(incl. Cisco VPN) reported - from not seeing any interfaces to crashing 
various software parts, I would say you can be glad that you see any 
traffic at all ...

See http://wiki.wireshark.org/CaptureSetup/InterferingSoftware for some 
more details and http://wiki.wireshark.org/CaptureSetup in general.

Regards, ULFL
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users