This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can you use wireshark to know who uses a vpn over your network?

0

I don't want to know anything about what they visited while vpn was active or anything i just want to know if anyone uses a vpn on my network.

asked 05 Jul '17, 19:02

Someone%20who%20needs%20help's gravatar image

Someone who ...
6112
accept rate: 0%


One Answer:

0

First, let's assume you can capture at the router which connects everyone in your network to the internet. Capturing on wireless networks is another can of worms so better to avoid it if you can.

Second, I suppose you have in mind those VPNs which are used to obfuscate what the user is doing on the internet from the network administrator and to anonymize the user to the services he visits, not the VPNs which are used to connect remote users to company networks.

If so, a typical pattern would be that a local machine has one or several encrypted conversations with a single remote IP while almost no other traffic towards the internet exists from that machine. You cannot 100% rely on spotting well-known ports used by VPNs for remote access because some VPN sites may mask the traffic as https or imap over tls while others may use e.g. OpenVPN which normally uses UDP as transport for the encrypted data. Even the traffic flow may be artificially modified (by transmitting bogus data while no real data flow is necessary). And there are many other things which can be done to make VPN traffic look similar to a normal one, including establishing transport conversations with many IPs at different times and spreading the actual conversations among them. So you'll never be certain. That's the goal after all.

answered 05 Jul '17, 23:42

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%