This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do you capture everything except tun0 (openVPN)

0

Hey guys, I need to capture all traffic which is not going through tun0 (openvpn). I have no idea which capture-filter I should use. I hope someone can help me.

asked 03 Mar '15, 13:12

alexo90's gravatar image

alexo90
6112
accept rate: 0%


2 Answers:

0

The OpenVPN traffic usually uses a "real" network card to transport the tunneled data. Default would be on UDP port 1194, so if you capture on your network card you could exclude the tunnel port, e.g. by using "not udp port 1194"

answered 03 Mar '15, 13:17

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

0

I need to capture all traffic which is not going through tun0 (openvpn).

well, then don't capture on tun0.

If you need to capture on multiple interfaces, you can use several -i statements. Recent versions of Wireshark/dumpcap/tcpdump do support capturing on multiple interfaces, so you don't have to use '-i any'.

Another idea is to set a filter on the IP addresses you don't need. Check the routing table to figure out which subnets are being routed to tun0, then use the following capture filter for those networks.

not net 10.x.x.0/24 and not net 10.y.y.0/24 and not ....

Regards
Kurt

answered 03 Mar '15, 14:20

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 03 Mar '15, 14:30