Ask Your Question
0

How to capture traffic at Windows Filter Driver level

asked 2021-02-23 20:44:25 +0000

JasMan gravatar image

Hey, we're using the Always-On-VPN solution from Zscaler. It uses Windows filtering to forward the traffic into the VPN tunnel. There's no virtual adapter were I could capture the unencrypted traffic.

According to Zscaler there's no way to capture the traffic with Wireshark before it enters the VPN/get encrypted. This is great for security reasons of course, but bad for troubleshooting issues at the client side. The VPN client itself supports a basic capture function, but it can only capture traffic up to 5 minutes.

Any idea how I would be able to capture the traffic at the filter driver level with Wireshark (e.g. mirror to a virtual adapter)?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-02-24 08:28:55 +0000

grahamb gravatar image

That would be an issue for the npcap folks, please raise an issue over at their GitHub issue tracker.

edit flag offensive delete link more

Comments

As an added thought, you might be able to capture this using Windows own capture facilities (that generate an ETL file) and then convert\load that file using the ETL plugin recently added to Wireshark

grahamb gravatar imagegrahamb ( 2021-02-24 08:31:21 +0000 )edit

Good idea, but Netsh / pktmon shows me the same adapters as Wireshark and tshark. :-( I will ask the npcap girls and guys. Thank you.

JasMan gravatar imageJasMan ( 2021-03-01 06:31:17 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-02-23 20:44:25 +0000

Seen: 74 times

Last updated: Feb 24