Encapsulation

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Mar 2 02:38:01 CET 2017


On Wed 2017-03-01 16:38:05 -0800, James Wilson wrote:
> Hi,
>
> Just out of curiosity, how does a "wireguard packet' look like on the wire
> ??
>
> I'm guessing:
>
>  Ethernet
>  IP
>  UDP
> |------------------|
> | IP               |
> | WG payload       |
> |------------------|
>
>
> What's in the box is encrypted
>
> Is that right ?? If not, what does it look like?

I believe the cleartext (after decryption) is an actual IP packet, so
everything from layer3 up the stack.


If anyone wants to document this sort of thing explicitly in a useful
way, you might consider writing a wireshark dissector:

  https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html

and you can clone wireshark's source with:

   git clone https://code.wireshark.org/review/wireshark

The simplest thing would be to start with a dissector for the ciphertext
itself, for the few pieces of metadata that are outside the encrypted
packet (see e.g. §5.4.2 of
https://www.wireguard.io/papers/wireguard.pdf)

If you want to get more clever, you could add a mechanism to the
wireguard module to extract session keys, and then make a decryptor
plugin to wireshark. But start with just the ciphertext ;)

      --dkg


More information about the WireGuard mailing list