TIA - I'm trying to troubleshoot some problems I'm having accessing a particular host over a VPN. I'm running Mac OS/X 10.6.7, and the VPN is a Cisco IPSec VPN. I've verified that the host is routing correctly over the VPN interface (which Mac OS/X calls "utun0"): dhcp-10-0-0-1:~ joshuadavies$ route get -host host.domain.com route to: host.domain.com destination: host.domain.com gateway: 1.2.3.4 interface: utun0 flags: <up,gateway,host,done,wascloned,proto3,ifscope> recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire 0 0 0 0 0 0 1280 3179 (obviously I've changed the hostname & gateway above). However, when I fire up Wireshark and listen on interface utun0, even when I connect to a host in the remote network, I don't see anything in the capture list. Is there something special I need to do so that packets sent over a VPN link show up in Wireshark 1.4.6 under Mac OS/X? asked 29 Jun '11, 08:30  Joshua Davies |
One Answer:
From Apple, I haven't tested this myself, but perhaps that is the solution... answered 22 Oct '15, 15:22  Nigel Sherid... I tired this but it still doesn't seem to capture packet via tunneling interface (utun0). Did you find any other way around? (04 Feb '16, 10:23) Kjee |
A quick look at xnu/bsd/net/if_utun.c in 10.6.7 indicates that it does include BPF tap code, so it should, in theory, be possible to capture on it with libpcap, so, in theory, both tcpdump and Wireshark should work.
However this mail message indicates that, even if it does support BPF, it might not be getting the traffic you want to see. Is there also, for example, a ppp0 interface that's up? If so, what happens if you try capturing on it?
The best thing to do is to report this to http://bugreport.apple.com. The more reports, the more likely it will see attention. I filed 9699332.