I have a VPN (default Windows XP client-server setup) running, with Wireshark on both the client box and the actual VPN. However, on both instances of Wireshark all the traffic that I sniff shows up as either PPP Comp or GRE. I haven't been able to find a solid answer anywhere, so since I have creds is there a way to sniff the actual unencrypted traffic? Both of the boxes are VMs, if that makes a difference. asked 07 Jul '14, 07:39  Fewmitz |
One Answer:
Netmon (3.4) from MS can capture traffic in the GRE tunnel (using PPTP at least). Capture on the NDSIWANBH adaptor. answered 07 Jul '14, 08:00  grahamb ♦ |
Thanks for the response; I'll try that. Out of curiosity does that imply that Wireshark actually can't Sniff on VPN? I've seen a few possible solutions/workarounds but none of them fit what I'm seeing.
On Windows, WinPCap (which is what Wireshark uses to capture) isn't able to capture on the pseudo-interfaces that VPN's create. Network Monitor uses a more modern filter driver so can capture on the VPN interfaces.