--- Comment #19 from Peter Wu <> ---
The dissector supports two modes:
1. Peer identification based on the static public key.
2. Full decryption using a key log file.

For (1), simply configure the "WireGuard static keys" protocol preference. This
also works if you are passively observing without access to either endpoint.

To play with (2) decryption, you will have to capture keys on an endpoint:

    # Preparation, "make" must be run after every kernel/WireGuard update
    git clone
    cd contrib/examples/extract-handshakes
    # Actually continuous key extraction. Press Ctrl-C to abort
    sudo ./ > ~/wireguard.keys

Once the key extraction is set up, you can bring up your WireGuard interface
and start capturing from your default interface (for example, "eth0" or
"wlan0"). That will reveal the "encrypted" WireGuard UDP packets on the wire.
If you capture from the "wg0" interface, it will reveal the plaintext packets
within the tunnel.

To configure the key file, right-click on a WireGuard packet. Go to Protocol
Preferences -> Key log filename. Select the wireguard.keys file created before.
You can also start Wireshark directly with the right keys:

    wireshark -i eth0 -k -owg.keylog_file:$HOME/wireguard.keys

- The display filter "wg" restricts the packet list to the WireGuard protocol.
- To follow a session across IP changes, right-click "Stream Index" and choose
  "Apply as Filter" -> Selected. This will set a filter like " == 1".

You are receiving this mail because:
You are watching all bug changes.
Sent via:    Wireshark-bugs mailing list <>

Reply via email to