Question about vpn / wireshark

Been reading and watching videos on wireshark the last few days and think that I have a pretty basic understanding of it. I'm currently using securityKISS vpn and I'm given two options to use for different servers in different locations: TCP or UDP. My understanding is that that both are equally secure however UDP transmits less data and will be faster overall than TCP. Is this correct?


When I connect through my vpn via TCP I'm seeing what appears to be a ton of encrypted traffic as seen in the first attachment. When I connect via UDP as seen in the second attachment I'm not seeing any encrypted traffic?? When running either TCP or UDP I cannot see any information (like web sites visited) in the info area of wireshark. When not running the vpn I can see every site I visit in the info area of wireshark.

I'm just curious if the data is being encrypted while using my vpn with UDP? Any info on this would be greatly appreciated!

 

Yes. UDP is faster because it just sends data, and doesn't obsess about its fate. But that's OK, because apps that are sending data through the VPN are keeping track, and will resend lost data. Using TCP for VPNs is slower, because both layers are checking and resending.

What port(s) do you see for the NTP traffic? I suspect that the VPN is using one of the standard NTP ports for UDP, so Wireshark is reporting it as NTP. NTP uses the UDP protocol.

Indeed

If you have connectivity using UDP, and see nothing interpretable in Wireshark, you're probably OK

 

mirimir Thanks for the info!

On my vpn TCP is port 443 and UDP is port 123, looks like (NTP) is also using port 123.

Also when I open wireshark click the capture / interfaces to begin, I want to select the physical wireless adapter correct and not the virtual TAP-Win32 V9 adapter?

.

 

That's what I suspected. The default NTP port is 123. Maybe they're trying to "hide" their VPN from snooping ISPs as time synch

Yes. If you capture on the tap adapter, you'll see unencrypted traffic.

 

mirimir, I think I will use TCP for now, speeds seem a little slower however it is barely noticeable. In your opinion, looking at the first attachment that I posted above (TCP) traffic, does that look like it's being properly encrypted to you?

 

I can't say from just that. Open such a WAN capture in Wireshark, highlight one of the TCP packets, and then select Analyze | Follow TCP Stream. If you don't see anything recognizable, you're probably OK. Do the same for a WAN capture with the VPN not connected. The difference should be obvious.

 

Did what you said (think I did it correctly). I tried analyze - follow the TCP steam with VPN / TCP and saw nothing but thousands of lines of gibberish. Ran the same test for UDP and even Tor and the same results.

Tried it again without VPN or Tor and there were clearly strings of data like:
Host web address, User agent, cookie information etc.

Thanks again for the info!