Differences between revisions 1 and 2
Revision 1 as of 2019-05-21 16:42:58
Size: 3175
Editor: PeterWu
Comment: Add WireGuard description
Revision 2 as of 2019-05-21 16:46:02
Size: 3223
Editor: PeterWu
Comment: add ToC, fix anchor
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:

Table of contents:
Line 25: Line 29:
 * Key log filename (wg.keylog_file): The path to the file which contains a list of secrets (see [[#keylog-format|Key Log Format]])  * Key log filename (wg.keylog_file): The path to the file which contains a list of secrets (see [[#Key_Log_Format|Key Log Format]])

Table of contents:

WireGuard (WG)

WireGuard is a VPN protocol.


WireGuard (v1) was initially started by Jason A. Donenfield in 2015 as a Linux kernel module. As of May 2019, it is still in process of being upstreamed. Support for other platforms (macOS, Android, iOS, BSD, and Windows) is provided by a cross-platform wireguard-go implementation.

Protocol dependencies

  • UDP: WireGuard uses UDP as its transport protocol. There is no standard port and typically WireGuard is detected through heuristics.


WireGuard (v1) dissection and decryption support was added in Wireshark 3.0 (Bug 15011).

Work is ongoing to embed decryption secrets in a pcapng file (Bug 15571).

Preference Settings

  • WireGuard static keys (wg.keys): A table of long-term static keys to enable WireGuard peer identification or partial decryption

  • Dissect transport data (wg.dissect_packet): Whether the IP dissector should dissect decrypted transport data.
  • Key log filename (wg.keylog_file): The path to the file which contains a list of secrets (see Key Log Format)

Example capture file

The test suite contains two capture samples:

Screenshot (with decryption keys configured): https://twitter.com/Lekensteyn/status/1027938328203669505

Display Filter

A complete list of WireGuard display filter fields can be found in the display filter reference.

The protocol name is wg.

Capture Filter

To filter WireGuard traffic while capturing, you can use:

  • udp[8:4] >= 0x1000000 and udp[8:4] <= 0x4000000

This filter works like the WireGuard heuristics, it test the first byte for a valid message type (1, 2, 3, or 4), and checks that the next three reserved bytes are zero.

Alternatively if you know the UDP port number, you can filter it like this:

  • udp port 51820

Key Log Format

Decryption can be enabled by supplying a key log file. This text file must follow the following format:

Every line consists of the key type, equals sign ('='), and the base64-encoded 32-byte key with optional spaces before and in between. The key type is one of LOCAL_STATIC_PRIVATE_KEY, REMOTE_STATIC_PUBLIC_KEY, LOCAL_EPHEMERAL_PRIVATE_KEY, or PRESHARED_KEY. This matches the output of extract-handshakes.sh

A PRESHARED_KEY line is linked to a session matched by a previous LOCAL_EPHEMERAL_PRIVATE_KEY line.

Warning: LOCAL_STATIC_PRIVATE_KEY and potentially PRESHARED_KEY are long-term secrets, users SHOULD only store non-production keys, or ensure proper protection of the pcapng file.

WireGuard (last edited 2019-05-21 16:46:02 by PeterWu)