Wireshark-users: Re: [Wireshark-users] Sniffing the WAN side of a VPN
From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Sat, 1 May 2010 09:25:39 +1000
Depending on what your isp has setup will determine what you see. As John said your router may be using esp. However we with a carrier or provider vpn then the encapsulation might all be hidden from you in their network core. If you can't get to the router configuration then put in a manageable switch between router and modem and use port mirroring to wireshark to see the traffic On 5/1/10, Sheahan, John <John.Sheahan@xxxxxxxxxxxxx> wrote: > Traffic going over your VPN through the Internet is encrypted and > encapsulated in the ESP protocol on your Cisco router and is routed with all > other internet traffic. > Since the IP address you are coming from (172.20.29.x) is an RFC 1918 > address, it cannot be routed on the internet by itself without being either > NATed or encapsulated, in your case the ESP encapsulation will use the > registered IP address of your router as the source address and the peer > address of the other end of the VPN as its destination IP address. > > If you sniff the traffic coming and going from your Cisco router out to the > internet, you will see this encrypted traffic in the ESP packets. > > john > > From: wireshark-users-bounces@xxxxxxxxxxxxx > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jeff Bruns > Sent: Friday, April 30, 2010 1:08 PM > To: Community support list for Wireshark > Subject: [Wireshark-users] Sniffing the WAN side of a VPN > > We are part of a mid-sized VPN, one of several dozen physical locations > scattered across the Washington, DC metropolitan area. Each site is part of > a VPN provided by Comcast and has an address schema of 172.20.x.x/28. The > incoming internet connection is from a coax cable to a Comcast cable modem. > From the modem, an ethernet cable connects to a Cisco 2800 series router. > Network devices are then connected to the various ports on the Cisco box. > > My question is related to the visible traffic between the comcast modem and > the router. Specifically, I'm wondering if since we're part of a VPN, if > sniffing the connection between the modem and the router would allow us to > see traffic which may be destined to other sites within our VPN. > > For example, lets say the gateway address on our local network is > 172.20.28.129. The next site's gateway address would be 172.20.29.129, the > next 172.20.30.129 and so on. If I sniff between the modem and the router, > would I be able to see traffic heading to the other various private gateways > within my VPN? > > My knowledge of VPN networking is relatively slim, so the answer may hold no > relevance to wireshark. I understand that a VPN is provided by your ISP, so > I suppose it may vary depending on ISP. I wonder just how isolated a VPN is > amongst the rest of the internet. Does only traffic belonging to, or > originating from the VPN get routed to the cable modem, and from there, > filtered by the router according to destination address? Or could traffic be > routed at a higher level somewhere within the ISP, routing only traffic > destined for my local network (172.20.28.129/28<http://172.20.28.129/28>) to > the modem and thus the router? > > Thanks for the help. > -- Regards, Martin MartinVisser99@xxxxxxxxx
- References:
- [Wireshark-users] Sniffing the WAN side of a VPN
- From: Jeff Bruns
- Re: [Wireshark-users] Sniffing the WAN side of a VPN
- From: Sheahan, John
- [Wireshark-users] Sniffing the WAN side of a VPN
- Prev by Date: [Wireshark-users] Delta and skew value in RTP analysis
- Next by Date: [Wireshark-users] Error while starting Wireshark 1.2.7
- Previous by thread: Re: [Wireshark-users] Sniffing the WAN side of a VPN
- Next by thread: [Wireshark-users] Delay in VOIP (cannot capture RTCP)
- Index(es):
- Get Wireshark
- Download
- Code of Conduct