Privacy Tools Guide

When you connect to a VPN, you trust that your traffic is being encrypted and routed through an secure tunnel. But how can you actually verify that your VPN is doing what it’s supposed to do? While most VPN applications show a “connected” status, they don’t necessarily prove that your data is actually encrypted. This is where tcpdump comes in—a powerful command-line packet analyzer that lets you inspect network traffic in real-time and verify that your VPN tunnel is properly encrypting your data.

In this guide, we’ll walk through how to use tcpdump to capture and analyze VPN traffic, interpret the results, and confirm that your sensitive data is truly protected from prying eyes.

What is tcpdump and Why Use It for VPN Verification?

tcpdump is a command-line packet sniffer that has been a staple of network administration and security auditing for decades. Unlike graphical network tools, tcpdump works directly with the raw network packets flowing through your network interfaces, giving you an unfiltered view of what’s actually happening on your network.

When you’re connected to a VPN, your traffic goes through two main stages: first, it’s encrypted and encapsulated within the VPN tunnel (usually WireGuard, OpenVPN, or IPSec protocols), then it travels through your physical network interface to the VPN server. By using tcpdump to examine this traffic, you can verify that:

This level of verification is particularly important for privacy-sensitive activities, journalists working in restrictive environments, or anyone who genuinely needs to verify their VPN is functioning as expected.

Installing tcpdump

Most Unix-like operating systems come with tcpdump pre-installed, but if you need to install it, here are the common methods:

On macOS:

brew install tcpdump

On Debian/Ubuntu:

sudo apt-get update
sudo apt-get install tcpdump

On Fedora/RHEL:

sudo dnf install tcpdump

After installation, verify it works by checking the version:

tcpdump --version

Note that capturing packets often requires root privileges, so you may need to use sudo when running tcpdump commands.

Capturing VPN Traffic with tcpdump

Before you can analyze your VPN traffic, you need to capture it. First, identify your network interfaces:

tcpdump -D

This will list all available network interfaces. Look for your VPN interface—it might appear as something like utun, tun, wg0 (for WireGuard), or ovpn (for OpenVPN).

Capturing on the VPN Interface

To capture traffic specifically on your VPN tunnel interface, use:

sudo tcpdump -i utun0 -w vpn-traffic.pcap

Replace utun0 with your actual VPN interface name. Press Ctrl+C to stop capturing after a few seconds.

Capturing on All Interfaces Simultaneously

If you want to capture on all interfaces to get a complete picture:

sudo tcpdump -i any -w all-traffic.pcap

Capturing with Filtered Output

For real-time viewing with filtering:

sudo tcpdump -i any -v | grep -i vpn

Analyzing the Captured Traffic

Once you’ve captured some traffic, it’s time to analyze it. The key question is: is the traffic encrypted?

Signs That Your VPN Traffic is Encrypted

When you examine your captured packets, encrypted traffic will show several characteristic signs:

  1. Non-Readable Payload The data portion of the packets should appear as random-looking bytes rather than readable text. If you see plain HTTP requests, email contents, or other readable data, your VPN might not be working correctly.
# Example: viewing captured packets
tcpdump -r vpn-traffic.pcap | head -20

You should see mostly hexadecimal output or garbled characters in the data section, not plain English text.

  1. VPN Protocol Headers Your packets should contain headers from your VPN protocol. For WireGuard, you’ll see UDP packets on port 51820. For OpenVPN, you’ll see packets on port 1194 (or your configured port) with OpenVPN-specific headers.

  2. Consistent Packet Sizes Encrypted packets often have consistent or semi-consistent sizes due to block cipher padding, whereas plaintext packets vary more randomly.

Using tcpdump with Specific Filters

tcpdump’s filter expressions are incredibly powerful for focused analysis:

Filter by VPN Protocol Port:

# WireGuard (UDP port 51820)
sudo tcpdump -i any port 51820 -v

# OpenVPN (UDP port 1194)
sudo tcpdump -i any port 1194 -v

# IPSec (ESP protocol)
sudo tcpdump -i any esp -v

Filter by Your VPN Server IP:

# First, find your VPN server IP
ip addr show | grep -A2 tun0

# Then filter traffic to that IP
sudo tcpdump -i any host VPN_SERVER_IP -n

Check for DNS Leaks:

# Monitor DNS queries (port 53)
sudo tcpdump -i any port 53 -n

If you see DNS queries going to servers other than your VPN provider’s DNS, you have a DNS leak.

Using Wireshark for Deeper Analysis

While tcpdump is powerful, Wireshark provides a graphical interface that makes packet analysis easier. You can export your tcpdump captures to Wireshark format:

# Capture and save
sudo tcpdump -i any -w capture.pcap

# Open in Wireshark (if installed)
wireshark capture.pcap

In Wireshark, you can:

Verifying Specific VPN Protocols

Different VPN protocols have different characteristics when analyzed with tcpdump.

WireGuard

WireGuard uses UDP and has a very compact protocol. When capturing WireGuard traffic, you should see:

sudo tcpdump -i any port 51820 -vv -c 10

OpenVPN

OpenVPN can run over TCP or UDP. You’ll see:

sudo tcpdump -i any port 1194 -vv -c 10

IPSec/IKEv2

IPSec traffic can be identified by:

# IKEv2 negotiation
sudo tcpdump -i any port 500 or port 4500 -vv

# ESP encrypted data
sudo tcpdump -i any esp -vv

Common Issues and Troubleshooting

When verifying your VPN with tcpdump, you might encounter some issues:

Issue: Seeing Plaintext Traffic

If you can read HTTP requests, emails, or other plaintext data in your captures while connected to your VPN:

  1. Check if your VPN has a “kill switch” that’s not working
  2. Verify DNS settings are pointing to your VPN provider
  3. Check for split tunneling that might be excluding some traffic
  4. Ensure all applications are using the VPN interface

Issue: No Traffic on VPN Interface

If you’re not seeing any traffic on your VPN interface:

  1. Confirm the interface name (it might be different from what you expect)
  2. Check if your VPN is actually connected
  3. Verify your routing table includes the VPN interface
# Check active network interfaces
ip addr

# Check routing table
ip route

# Check VPN status
sudo wg show # for WireGuard
sudo openvpn --config /path/to/config # for OpenVPN

Issue: High Packet Count but No Data Transfer

If you see many packets but no actual data:

  1. This could indicate keepalive packets (normal)
  2. Could mean your VPN tunnel is established but applications aren’t using it
  3. Check if you have routing issues

Security Considerations

When using tcpdump to verify your VPN:

  1. Capture files can contain sensitive data Even if your VPN traffic is encrypted, your captures might contain metadata, DNS queries, or initial handshake information. Delete capture files when done.

  2. Local network visibility On shared networks (coffee shops, hotels), anyone else on the network can potentially see your packets if they’re not properly encrypted through the VPN.

  3. Avoid real-time streaming to untrusted systems Don’t pipe tcpdump output directly to remote servers you don’t control.

Best Practices for Regular VPN Verification

To maintain confidence in your VPN setup:

  1. Initial verification Always verify your VPN is working with tcpdump when first setting up a new VPN provider or configuration.

  2. Periodic checks Run tcpdump captures periodically to ensure nothing has changed in your VPN behavior.

  3. After network changes Verify again after router changes, network configuration updates, or VPN software updates.

  4. After system sleep/wake Some systems don’t properly re-establish VPN connections after waking from sleep—always verify after resuming.

Built by theluckystrike — More at zovo.one

Explore Our Developer Guides

© 2026 theluckystrike Developer Guides