Traffic inspection


The Network Sniffer is a great troubleshooting tool. You can monitor most interfaces, including the “underlay” interfaces ethX, the overlay interface tun0, and VPN interfaces such as greX and ipsec_vtiX.

The Network Sniffer page includes some basic guidance regarding syntax. In the event your filter expression is malformed, the page will result in an “expression syntax error”.

Linux tcpdump/libpcap Expressions

The Network Sniffer accepts Linux tcpdump/libpcap filter expressions. Almost all qualifiers supported by libpcap are supported by VNS3. For more information, read the official libpcap filter documentation or reach out to our support team at or by email at

When using the Network Sniffer, there are two things to remember:

  • The page does not auto refresh. Once you click Start, be sure to click the refresh button to update your view of the traffic.
  • The interface selection is very important.
    • eth0 - Default network interface. This is where encapsulated IPsec traffic and unencrypted VLAN traffic is visible.
    • tun0 - Overlay Network interface
    • greX - GRE VPN virtual interface
    • ipsec_vtiX - VTI VPN virtual interface

VNS3 Admin Network Sniffer UI


It is useful in troubleshooting an encrypted tunnel to first see if there is normal negotiation and keepalive traffic moving between the two IPsec Peers. This will help you to understand if there is a network connectivity or a firewall issue that prevents the negotiation.

Once a tunnel is negotiated, you can use the Network Sniffer to monitor tunnel traffic, making sure encrypted/encapsulated packets are moving in both directions.

Use the following eth0 filter to do both: host <remote IPsec peer IP>

The result should be some UDP 500 ISAKMP traffic and encrypted IPsec traffic on UDP 4500 or ESP Protocol 50 (NAT-Traversal or Native IPsec, respectively).

When troubleshooting, we recommend setting up a continuous ping down the tunnel with a larger-than-default size specified so that you can be sure the packets you are watching are your pings. To do this you can use the -l argument on Windows and the -s argument on Linux.

VNS3 Admin Network Sniffer Output