This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi Guys,

I am trying to capture a VPN tunnel establishment between 2 firewalls. While I am able to get the trace on TCPDUMP, however when I write it to a pcap file, the outgoing packets are not present. What could I be doing wrong or is there something else I need to do while I do the capture?

01:05:52.154481 In IP 192.168.3.1.500 > 192.168.4.2.500: isakmp: phase 1 I ident: [|sa] 01:05:52.186367 Out IP 192.168.4.2.500 > 192.168.3.1.500: isakmp: phase 1 R ident: [|sa]

"In" packets are not visible. Any help would be appreciated. Thanks Rahul

asked 08 Nov '13, 11:51

Rahultn's gravatar image

Rahultn
1111
accept rate: 0%

  • what is your (exact) tcpdump command for writing the pcap file?
  • where do you capture? On one of the firewalls, or somewhere in between?
(08 Nov '13, 15:37) Kurt Knochner ♦

Thanks for response Kurt. FW1 ------ FW2 On the FW2 receiving interface I did the capture

tcpdump -ni <int> -w File.pcap

On this dump i am able to see bidirectional traffic, but when I write it to a pcap file and open it only
192.168.4.2.500 > 192.168.3.1.500: isakmp: phase 1 R ident: [|sa] is available.

(Correction to the q: Incoming packets are visible)

(08 Nov '13, 15:45) Rahultn

Thanks for response Kurt. FW1 ------ FW2 On the FW2 receiving interface I did the capture

What type of firewall is this?

To repeat it:

  • if you run tcpdump on the console (tcpdump -ni <int>) you do see IKE traffic in both directions
  • if you let tcpdump write a file (tcpdump -ni <int> -w file.pcap) you don't see IKE in both directions?

If so (and you used no other options for tcpdump as the one you posted), how did you check the content of the pcap file?

BTW: Are there tagged VLAN ports involved on firewall FW2 (the interface you sniffed)?

(08 Nov '13, 16:01) Kurt Knochner ♦
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×97
×45
×19
×3

question asked: 08 Nov '13, 11:51

question was seen: 6,093 times

last updated: 08 Nov '13, 16:06

p​o​w​e​r​e​d by O​S​Q​A