Debugging Wireguard with Wireshark

Wireshark has full support for parsing the Wireguard VPN network protocol.

See also

• https://wiki.wireshark.org/WireGuard
• https://www.wireshark.org/docs/dfref/w/wg.html

• To find handshake packets, use the display filter

  wg.type == 1 || wg.type == 2
  

• To find keepalive packerts, use the display filter

  wg.keepalive
  

• To filter communications with a specific endpoint, use the display filter

  ip.src == 8.8.8.8 || ip.dst == 8.8.8.8
  

  (replacing 8.8.8.8 with the server endpoint address).

Examples:

# watch handshakes & keepalives
wg.keepalive || wg.type == 1 || wg.type == 2

# watch handshakes & keepalives to specific server
(wg.keepalive || wg.type == 1 || wg.type == 2) && (ip.src == 8.8.8.8 || ip.dst == 8.8.8.8)

Interface selection

If you’re doing this with Wireshark over SSH on a router for Whole-Network VPN routing, this should typically be sniffed on the device corresponding to the WAN/WAN6 interface. Not the wan interface, but the hardware port. In my case, eth1.