tcpdump frage zu wireguard verbindung

noobhacker

Cadet 2nd Year
Registriert
Sep. 2023
Beiträge
18
Hi,

ich habe letztens zwei NFS Shares via Wireguard in einem Server eingebunden. Es funktioniert auch wunderbar allerdings habe ich eine Frage zu einem TCP Dump vom Wireguard Interface. Eigentlich müsste ich hier nur verschlüsselten UDP Traffic sehen, oder nicht? Ich sehe aber nur:

Code:
Frame 92: 52 bytes on wire (416 bits), 52 bytes captured (416 bits)
    Encapsulation type: Raw IP (7)
    Arrival Time: Aug 17, 2024 05:33:34.912023000 CEST
    UTC Arrival Time: Aug 17, 2024 03:33:34.912023000 UTC
    Epoch Arrival Time: 1723865614.912023000
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 0.000521000 seconds]
    [Time delta from previous displayed frame: 0.000521000 seconds]
    [Time since reference or first frame: 0.046228000 seconds]
    Frame Number: 92
    Frame Length: 52 bytes (416 bits)
    Capture Length: 52 bytes (416 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: raw:ip:tcp]
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Raw packet data
Internet Protocol Version 4, Src: 100.109.61.xx, Dst: 100.116.xx.93
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 52
    Identification: 0xfc44 (64580)
    010. .... = Flags: 0x2, Don't fragment
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 64
    Protocol: TCP (6)
    Header Checksum: 0x64f6 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 100.109.61.xx
    Destination Address: 100.116.xx.93
Transmission Control Protocol, Src Port: 999, Dst Port: 2049, Seq: 1, Ack: 235777, Len: 0
    Source Port: 999
    Destination Port: 2049
    [Stream index: 0]
    [Conversation completeness: Incomplete (12)]
    [TCP Segment Len: 0]
    Sequence Number: 1    (relative sequence number)
    Sequence Number (raw): 528572079
    [Next Sequence Number: 1    (relative sequence number)]
    Acknowledgment Number: 235777    (relative ack number)
    Acknowledgment number (raw): 655115925
    1000 .... = Header Length: 32 bytes (8)
    Flags: 0x010 (ACK)
    Window: 596
    [Calculated window size: 596]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0xc88a [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
    [Timestamps]

reinen TCP Traffic und auch teilweise NFS:

Code:
Frame 298: 252 bytes on wire (2016 bits), 252 bytes captured (2016 bits)
    Encapsulation type: Raw IP (7)
    Arrival Time: Aug 17, 2024 05:33:34.966256000 CEST
    UTC Arrival Time: Aug 17, 2024 03:33:34.966256000 UTC
    Epoch Arrival Time: 1723865614.966256000
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 0.000226000 seconds]
    [Time delta from previous displayed frame: 0.000226000 seconds]
    [Time since reference or first frame: 0.100461000 seconds]
    Frame Number: 298
    Frame Length: 252 bytes (2016 bits)
    Capture Length: 252 bytes (2016 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: raw:ip:tcp:rpc:nfs]
    [Coloring Rule Name: TCP]
    [Coloring Rule String: tcp]
Raw packet data
Internet Protocol Version 4, Src: 100.109.61.xx, Dst: 100.116.xx.93
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 252
    Identification: 0xfcb0 (64688)
    010. .... = Flags: 0x2, Don't fragment
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 64
    Protocol: TCP (6)
    Header Checksum: 0x63c2 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 100.109.61.xx
    Destination Address: 100.116.xx.93
Transmission Control Protocol, Src Port: 999, Dst Port: 2049, Seq: 401, Ack: 502509, Len: 200
    Source Port: 999
    Destination Port: 2049
    [Stream index: 0]
    [Conversation completeness: Incomplete (12)]
    [TCP Segment Len: 200]
    Sequence Number: 401    (relative sequence number)
    Sequence Number (raw): 528572479
    [Next Sequence Number: 601    (relative sequence number)]
    Acknowledgment Number: 502509    (relative ack number)
    Acknowledgment number (raw): 655382657
    1000 .... = Header Length: 32 bytes (8)
    Flags: 0x018 (PSH, ACK)
    Window: 596
    [Calculated window size: 596]
    [Window size scaling factor: -1 (unknown)]
    Checksum: 0x88a6 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
    [Timestamps]
    [SEQ/ACK analysis]
    TCP payload (200 bytes)
Remote Procedure Call, Type:Call XID:0x7872dede
    Fragment header: Last fragment, 196 bytes
    XID: 0x7872dede (2020794078)
    Message Type: Call (0)
    RPC Version: 2
    Program: NFS (100003)
    Program Version: 4
    Procedure: COMPOUND (1)
    [The reply to this request is in frame 331]
    Credentials
    Verifier
Network File System, Ops(3): SEQUENCE, PUTFH, READ
    [Program Version: 4]
    [V4 Procedure: COMPOUND (1)]
    Tag: <EMPTY>
    minorversion: 2
    Operations (count: 3): SEQUENCE, PUTFH, READ
    [Main Opcode: READ (25)]

Die Verbindung über Tailscale zwischen den Teilnehmern ist laut tailscale status direkt. Es werden also keine DERP Server verwendet die das erklären könnten. Erwarte ich etwas falsches zu sehen? Warum sehe ich an der Stelle keinen verschlüsselten Wireguard Traffic?
 
Mach mal den tcpdump auf der physikalischen Schnittstelle, dann solltest du es verschlüsselt sehen.
 
  • Gefällt mir
Reaktionen: noobhacker und Bob.Dig
Zurück
Oben