Hey guys, I need to capture all traffic which is not going through tun0 (openvpn). I have no idea which capture-filter I should use. I hope someone can help me. asked 03 Mar '15, 13:12 alexo90 |
2 Answers:
The OpenVPN traffic usually uses a "real" network card to transport the tunneled data. Default would be on UDP port 1194, so if you capture on your network card you could exclude the tunnel port, e.g. by using "not udp port 1194" answered 03 Mar '15, 13:17 Jasper ♦♦ |
well, then don't capture on tun0. If you need to capture on multiple interfaces, you can use several -i statements. Recent versions of Wireshark/dumpcap/tcpdump do support capturing on multiple interfaces, so you don't have to use '-i any'. Another idea is to set a filter on the IP addresses you don't need. Check the routing table to figure out which subnets are being routed to tun0, then use the following capture filter for those networks.
Regards answered 03 Mar '15, 14:20 Kurt Knochner ♦ edited 03 Mar '15, 14:30 |