Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

How to capture traffic at Windows Filter Driver level

Hey, we're using the Always-On-VPN solution from Zscaler. It uses Windows filtering to forward the traffic into the VPN tunnel. There's no virtual adapter were I could capture the unencrypted traffic.

According to Zscaler there's no way to capture the traffic with Wireshark before it enters the VPN/get encrypted. This is great for security reasons of course, but bad for troubleshooting issues at the client side. The VPN client itself supports a basic capture function, but it can only capture traffic up to 5 minutes.

Any idea how I would be able to capture the traffic at the filter driver level with Wireshark (e.g. mirror to a virtual adapter)?