Packet Capture (PCAP)

Debugging encrypted tunnels can be difficult. onetun includes a feature to capture the decrypted IP packets flowing through the virtual interface.

Enabling Capture

Use the --pcap flag (or ONETUN_PCAP env var) to specify an output file.

onetun ... --pcap debug.pcap

Analyzing

This file is a standard Libpcap format file. You can open it with Wireshark or tcpdump.

• What you will see: Raw IPv4/IPv6 packets with TCP/UDP payloads.
• What you won't see: The outer WireGuard UDP encryption layer (since capture happens inside the tunnel).

This is extremely useful for verifying routing, DNS resolutions, or inspecting HTTP traffic that is failing to traverse the tunnel.