This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark on MAC OSX VPN

0

I am troubleshooting dns issues with apple products on our corporate network. We are seeing a problem where windows users can resolve short-name dns just fine but users on apple products can not (Iphone, Ipad, Mac). To start I am troubleshooting with a mac, but I am not seeing any packets go across the VPN when I try to start a wireshark from it..

From the if config command I've gathered via ip that the tunnel is being generated off of the interface "utun1". When I start a packet capture off of that interface I see no packets, I've generated traffic by pinging devices on the corporate network... etc, I am not seeing anything.

Similarly, I have tried generating a packet capture off of the en0 interface, which is the interface my ethernet cord is plugged into. I see plenty of traffic go through, but nothing through the VPN. I can see dns queries come into the DNS server on our corporate network from my computer when I am attached to the vpn, but my local wireshark capture does not see packets going out to the DNS server.

I was wondering if anyone knows exactly how this works on OSX. Is it possible that everything is being encapsulated before it hits en0 or the VPN interface, and thus, no packets are displayed because they are already tunneled?

I am running Mac OSX Lion version 10.7.3

Thanks for your help and time!

asked 30 Mar '12, 09:10

PhillSimonds's gravatar image

PhillSimonds
1111
accept rate: 0%


One Answer:

0

From the if config command I've gathered via ip that the tunnel is being generated off of the interface "utun1".

Are you certain of that? Is there also an interface named, for example, ppp0? If so, what happens if you try to capture on the ppp0 interface? Apple's own VPN software sends traffic over a PPP interface such as ppp0; I don't know what other VPN software such as the Cisco VPN software does.

Similarly, I have tried generating a packet capture off of the en0 interface, which is the interface my ethernet cord is plugged into. I see plenty of traffic go through, but nothing through the VPN. I can see dns queries come into the DNS server on our corporate network from my computer when I am attached to the vpn, but my local wireshark capture does not see packets going out to the DNS server.

Again, with Apple's VPN software, the VPN traffic will show up as, for example, ESP traffic on the Ethernet or Airport interface, so it'll already be encapsulated. I don't know what other VPN software does, but it's probably similar.

answered 30 Mar '12, 13:10

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

I am seeing this output from the ifconfig command

utun1: flags=8051<up,pointopoint,running,multicast> mtu 1280 inet 10.105.135.224 --> 10.105.135.224 netmask 0xffffff00

This and en0 are the only two interfaces that show IP addresses off of them. I am using Apple's built in VPN Client found under network preferences, but It is conecting to a cisco ASA and using Cisco IPSEC as its tunneling protocol. I don't have a ppp interface being displayed under the ifconfig command or in the interface list under wireshark... I have a p2p0 but as I understand it, that is a completely different tunneling protocol then IPSEC.

We resolved the DNS issue, so no further troubleshooting is needed. Thank you for all of your input, hopefully this will help someone else.

Thanks!

(30 Mar '12, 13:22) PhillSimonds
1

I seem to remember that somebody once noted that, on OS X, Cisco VPNs don't make the VPN traffic available for sniffing, so it's fortunate that you were able to debug the problem without a traffic capture. I also seem to remember that the utun devices don't carry the decrypted traffic, just some sort of control traffic, and that the decrypted traffic passes to the IP stack without passing through a pseudo-interface, making it un-sniffable.

(30 Mar '12, 16:09) Guy Harris ♦♦