Ask Your Question
0

How to capture traffic at Windows Filter Driver level

asked 2021-02-23 20:44:25 +0000

JasMan gravatar image

Hey, we're using the Always-On-VPN solution from Zscaler. It uses Windows filtering to forward the traffic into the VPN tunnel. There's no virtual adapter were I could capture the unencrypted traffic.

According to Zscaler there's no way to capture the traffic with Wireshark before it enters the VPN/get encrypted. This is great for security reasons of course, but bad for troubleshooting issues at the client side. The VPN client itself supports a basic capture function, but it can only capture traffic up to 5 minutes.

Any idea how I would be able to capture the traffic at the filter driver level with Wireshark (e.g. mirror to a virtual adapter)?

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2021-10-01 12:22:48 +0000

shark gravatar image

I am not sure about the Always-On-VPN by Zscaler, however in my environment Zscaler acts as a local proxy and listens on some port in 127.0.0.1

If you have latest version of Wireshark and Npcap, you should see "Adapter for loopback traffic capture" in the capture interface. There is also packet capture option in Zscaler Client Connector.

edit flag offensive delete link more
add a comment
0

answered 2021-02-24 08:28:55 +0000

grahamb gravatar image

That would be an issue for the npcap folks, please raise an issue over at their GitHub issue tracker.

edit flag offensive delete link more

Comments

As an added thought, you might be able to capture this using Windows own capture facilities (that generate an ETL file) and then convert\load that file using the ETL plugin recently added to Wireshark

grahamb gravatar imagegrahamb ( 2021-02-24 08:31:21 +0000 )edit

Good idea, but Netsh / pktmon shows me the same adapters as Wireshark and tshark. :-( I will ask the npcap girls and guys. Thank you.

JasMan gravatar imageJasMan ( 2021-03-01 06:31:17 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-02-23 20:44:25 +0000

Seen: 1,590 times

Last updated: Feb 24 '21

Related questions

Why is the MSS not the same?

Checking if the VPN connection is working

Wireshark shows some vpn servers a UDP and othersAS OPENVPN, UDP would be unencrypted, Correct?

View the encryption domain in an IPsec VPN?

How do I find my SIP call to my cell phone over VPN? Not listed under Telephony > VoIP calls

VPN Monitoring

Low IPSec VPN bandwidth - how to find the cause?

Need my VPN line on my new laptop [closed]

Ping failure in VPN network

Duplicate ACK and TCP Retransmission

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2