Symantec antivirus on a VPN connected Windoze machine is detecting an intrusion from a host on our VPN. Symantec can do this because the VPN client on the destination machine decrypts the messages before Symantec see it. (Right?) I am monitoring using a Mac with Wireshark on a hub which also supports the Windoze machine that's detecting the intrusion. Because the Winders machine is on the VPN, but my monitoring Wireshark machine is not VPN connected, is there some capture filter that can decode the encrypted messages? Assume I can capture the packets which set up the VPN, and I have the RSA passcode. The IP message header wouldn't be encrypted (else the network couldn't route it), so shouldn't I see the source host sending the packets? Or is the source host's entire message being encrypted by the VPN server at the other end before I get it, and the VPN client removes the IP header and decrypts it, so all I can see by capturing is the destination host and the VPN source host in the packet? (I did search 'questions' for VPN and encrypt and got zero hits for either, I'm sorry if this has been answered somewhere.) asked 03 Apr '12, 11:06  PReinie |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
