This is our old Q&A Site. Please post any new questions and answers at

I have a VPN (default Windows XP client-server setup) running, with Wireshark on both the client box and the actual VPN. However, on both instances of Wireshark all the traffic that I sniff shows up as either PPP Comp or GRE. I haven't been able to find a solid answer anywhere, so since I have creds is there a way to sniff the actual unencrypted traffic?

Both of the boxes are VMs, if that makes a difference.

asked 07 Jul '14, 07:39

Fewmitz's gravatar image

accept rate: 0%

Netmon (3.4) from MS can capture traffic in the GRE tunnel (using PPTP at least). Capture on the NDSIWANBH adaptor.

permanent link

answered 07 Jul '14, 08:00

grahamb's gravatar image

grahamb ♦
accept rate: 22%

Thanks for the response; I'll try that. Out of curiosity does that imply that Wireshark actually can't Sniff on VPN? I've seen a few possible solutions/workarounds but none of them fit what I'm seeing.

(07 Jul '14, 12:02) Fewmitz

On Windows, WinPCap (which is what Wireshark uses to capture) isn't able to capture on the pseudo-interfaces that VPN's create. Network Monitor uses a more modern filter driver so can capture on the VPN interfaces.

(07 Jul '14, 13:42) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 07 Jul '14, 07:39

question was seen: 3,233 times

last updated: 07 Jul '14, 13:42

p​o​w​e​r​e​d by O​S​Q​A