Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Mar 2 02:38:01 CET 2017

On Wed 2017-03-01 16:38:05 -0800, James Wilson wrote:
> Hi,
> Just out of curiosity, how does a "wireguard packet' look like on the wire
> ??
> I'm guessing:
>  Ethernet
>  IP
>  UDP
> |------------------|
> | IP               |
> | WG payload       |
> |------------------|
> What's in the box is encrypted
> Is that right ?? If not, what does it look like?

I believe the cleartext (after decryption) is an actual IP packet, so
everything from layer3 up the stack.

If anyone wants to document this sort of thing explicitly in a useful
way, you might consider writing a wireshark dissector:


and you can clone wireshark's source with:

   git clone https://code.wireshark.org/review/wireshark

The simplest thing would be to start with a dissector for the ciphertext
itself, for the few pieces of metadata that are outside the encrypted
packet (see e.g. §5.4.2 of

If you want to get more clever, you could add a mechanism to the
wireguard module to extract session keys, and then make a decryptor
plugin to wireshark. But start with just the ciphertext ;)


More information about the WireGuard mailing list