https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15011
--- Comment #19 from Peter Wu <pe...@lekensteyn.nl> ---
The dissector supports two modes:
1. Peer identification based on the static public key.
2. Full decryption using a key log file.
For (1), simply configure the "WireGuard static keys" protocol preference. This
also works if you are passively observing without access to either endpoint.
To play with (2) decryption, you will have to capture keys on an endpoint:
# Preparation, "make" must be run after every kernel/WireGuard update
git clone https://git.zx2c4.com/WireGuard
cd contrib/examples/extract-handshakes
make
# Actually continuous key extraction. Press Ctrl-C to abort
sudo ./extract-handshakes.sh > ~/wireguard.keys
Once the key extraction is set up, you can bring up your WireGuard interface
and start capturing from your default interface (for example, "eth0" or
"wlan0"). That will reveal the "encrypted" WireGuard UDP packets on the wire.
If you capture from the "wg0" interface, it will reveal the plaintext packets
within the tunnel.
To configure the key file, right-click on a WireGuard packet. Go to Protocol
Preferences -> Key log filename. Select the wireguard.keys file created before.
You can also start Wireshark directly with the right keys:
wireshark -i eth0 -k -owg.keylog_file:$HOME/wireguard.keys
Tips:
- The display filter "wg" restricts the packet list to the WireGuard protocol.
- To follow a session across IP changes, right-click "Stream Index" and choose
"Apply as Filter" -> Selected. This will set a filter like "wg.stream == 1".
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
