This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

OSX AppleVPN traffic not visible via tunneling network interface (utun0)

0

'm running Mac OS/X 10.11, and the VPN is a Apple IPSec VPN. I could verify that the host is routing correctly over the VPN interface (which Mac OS/X calls "utun0")

$ netstat -rn
Routing tables

Internet: Destination Gateway Flags Refs Use Netif Expire default link#10 UCS 29 0 utun0 …

However, when I run and listen on interface utun0, I couldn’t capture any traffic.

$ sudo tcpdump -i utun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on utun0, link-type NULL (BSD loopback), capture size 65535 bytes

(nothing)

Is there something special I need to do so that packets sent over a VPN link show up?

asked 03 Feb ‘16, 14:47

Kjee's gravatar image

Kjee
6113
accept rate: 0%

I tried with Wireshark, but the result is just same.

(08 Feb ‘16, 08:11) Kjee


One Answer:

1

I tried with Wireshark, but the result is just same.

Wireshark and tcpdump both capture traffic using libpcap, and libpcap would be using BPF, so they'll both succeed or fail in the exact same way as they're going through the exact same OS code path.

See the answer to a similar question somebody asked; it might simply not be possible to capture that traffic.

answered 08 Feb '16, 09:13

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%