How to record traffic which is inside a VPN?
Solution 1:
Sure. Just tell Wireshark to monitor the VPN interface, not the actual Ethernet/WiFi one.
Each packet gets routed to a specific network interface. Most correspond to physical network cards; there's a "loopback" one for 127.0.0.1 as well.
When you connect to a VPN, the software creates a virtual network interface, assigns it an IP address, and so on. (Usually a 'tun' or 'tap' device, though it's not always named such... I'm pretty sure vpnc
uses 'tun'.)
Packets routed over that interface are sent to the VPN client, which encrypts them and sends inside new packets to the VPN server, which then get routed to the real WiFi device.
So whether you're trying to generate traffic, receive it, or monitor it, there's really no distinction between "inside" traffic and "outside" traffic, they just go through different devices, and you didn't tell Wireshark which one to capture on.
Solution 2:
If you're on a Mac and Wireshark can't capture the traffic, you can use the MacOS version of tcpdump
with the special iptap
interface option you can capture traffic e.g. if your VPN is using tun1
sudo tcpdump -i iptap,tun1