This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark can not display incoming packets for ISAKMP.

0

Hi all,

I am using Shrew soft as VPN client to establish VPN tunnel. The tunnel up and work properly. But, i used Wireshark (version 1.12.2) to capture and filter (only ISAKMP)- i only see outgoing packets not see incoming packets. Could you please help to this?

Sorry for my English, Thanks a lot,

This question is marked "community wiki".

asked 30 Dec '14, 01:58

G%E1%BA%A5u%20Con's gravatar image

Gấu Con
6113
accept rate: 0%

edited 30 Dec '14, 02:01

I want to update:

OS: Windows 8 64bit Shrewsoft VPN client: 2.2.2 Wireshark: 1.12.2

Thanks a lot

(30 Dec '14, 02:07) Gấu Con

3 Answers:

1

Wireshark on Windows is using WinPcap, which hooks itself into the windows networking stack to get frames. If the VPN client is "in front" of WinPcap, it will process the ISAKMP frames before WinPcap ever sees them. We have had reports about similar effects with all sort of security software (VPN clients, Endpoint Security, etc.) in the past. There isn't much you can do about it. If you need the ISAKMP traffic, you can

  • capture in front of your windows client, on a switch mirror port
  • try to use Microsoft Network Monitor, as it uses a different way to get network frames than WinPcap.

Regards
Kurt

answered 30 Dec '14, 04:06

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Dear,

Thank you very much for your info.!

(30 Dec '14, 18:14) Gấu Con

1

Hi,

You can generate directly pcap with Shrew : https://www.shrew.net/static/help-2.2.x/html/Shrew%20Soft%20VPN%20Client%20Administrators%20Guide.html

answered 08 Jan '15, 00:25

Alexis%20La%20Goutte's gravatar image

Alexis La Go...
1104
accept rate: 25%

0

VPN client interference is a known issue, outside the realm of Wireshark unfortunately.

answered 30 Dec '14, 03:53

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%