How can you detect IPsec VPN traffic in a capture?

Prepare for the Wireshark Traffic Analysis Exam. Study with flashcards and multiple choice questions, each question includes hints and explanations. Ace your exam!

Multiple Choice

How can you detect IPsec VPN traffic in a capture?

Explanation:
IPsec VPN traffic shows up at the IP layer with specific protocol numbers and, for the negotiation phase, on common UDP ports. ESP and AH are dedicated IPsec protocols: ESP uses protocol number 50 and AH uses protocol number 51. If you filter by these protocol numbers, you’ll see IPsec traffic regardless of the actual encapsulated data. In addition, the IKE negotiation that establishes IPsec SAs uses ISAKMP over UDP ports 500, and when NAT traversal is involved, UDP port 4500 carries IPsec traffic. So, filtering for ip.proto == 50 (ESP) or ip.proto == 51 (AH) and looking for IKE negotiation messages on UDP 500/4500 is the right way to detect IPsec VPN traffic in a capture. The other options don’t fit because they focus on HTTP, DNS, or ARP, which are unrelated to IPsec VPN traffic.

IPsec VPN traffic shows up at the IP layer with specific protocol numbers and, for the negotiation phase, on common UDP ports. ESP and AH are dedicated IPsec protocols: ESP uses protocol number 50 and AH uses protocol number 51. If you filter by these protocol numbers, you’ll see IPsec traffic regardless of the actual encapsulated data. In addition, the IKE negotiation that establishes IPsec SAs uses ISAKMP over UDP ports 500, and when NAT traversal is involved, UDP port 4500 carries IPsec traffic.

So, filtering for ip.proto == 50 (ESP) or ip.proto == 51 (AH) and looking for IKE negotiation messages on UDP 500/4500 is the right way to detect IPsec VPN traffic in a capture. The other options don’t fit because they focus on HTTP, DNS, or ARP, which are unrelated to IPsec VPN traffic.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy