{"slug":"unencrypted-packet-examination","title":"Unencrypted packet examination","tags":["tailscale","networking"],"agent_summary":"Last validated: Mar 26, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Unencrypted packet examination\r\n\r\nLast validated: Mar 26, 2026\r\n\r\nIt is sometimes useful to be able to inspect the unencrypted packets inside the WireGuard tunnel using tools like Wireshark. This can only be done from one of the devices at the endpoints of the tunnel. Packets captured while in transit cannot be decrypted.\r\n\r\nFrom the devices at the endpoints of the tunnel, there are several ways to accomplish this:\r\n\r\n1. `tailscale debug capture -o /path/to/capture.pcap`\r\n2. Run Wireshark on the TUN device (this does not work in userspace mode).\r\n\r\nWith `tailscale debug capture`, the `-o /path/to/capture.pcap` argument specifies the name of a file to write packets to. If omitted, Tailscale will attempt to start Wireshark locally for a live capture. These `pcap` files are captured with a header of metadata about the tailnet. To inspect them in Wireshark, you must install a [Lua dissector](https://raw.githubusercontent.com/tailscale/tailscale/refs/heads/main/feature/capture/dissector/ts-dissector.lua).\r\n\r\nTo capture from a TUN device, you need to start Wireshark and have it capture from:\r\n\r\n1. `tailscale0` for Linux and Windows systems.\r\n2. `utun#` on macOS, where the number can vary. Wireshark will show a list of interfaces, and one of the `utun` interfaces should show some traffic.\r\n\r\nWireshark 3.65 or later support capturing Wireshark frames from TUN devices.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Unencrypted packet examination</h1>\n<p>Last validated: Mar 26, 2026</p>\n<p>It is sometimes useful to be able to inspect the unencrypted packets inside the WireGuard tunnel using tools like Wireshark. This can only be done from one of the devices at the endpoints of the tunnel. Packets captured while in transit cannot be decrypted.</p>\n<p>From the devices at the endpoints of the tunnel, there are several ways to accomplish this:</p>\n<ol>\n<li><code>tailscale debug capture -o /path/to/capture.pcap</code></li>\n<li>Run Wireshark on the TUN device (this does not work in userspace mode).</li>\n</ol>\n<p>With <code>tailscale debug capture</code>, the <code>-o /path/to/capture.pcap</code> argument specifies the name of a file to write packets to. If omitted, Tailscale will attempt to start Wireshark locally for a live capture. These <code>pcap</code> files are captured with a header of metadata about the tailnet. To inspect them in Wireshark, you must install a <a href=\"https://raw.githubusercontent.com/tailscale/tailscale/refs/heads/main/feature/capture/dissector/ts-dissector.lua\">Lua dissector</a>.</p>\n<p>To capture from a TUN device, you need to start Wireshark and have it capture from:</p>\n<ol>\n<li><code>tailscale0</code> for Linux and Windows systems.</li>\n<li><code>utun#</code> on macOS, where the number can vary. Wireshark will show a list of interfaces, and one of the <code>utun</code> interfaces should show some traffic.</li>\n</ol>\n<p>Wireshark 3.65 or later support capturing Wireshark frames from TUN devices.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}