Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 05 Mar 2014 16:51:01 -0500
From:      Mike Tancsa <mike@sentex.net>
To:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   tcpdump question of ipsec / esp packets
Message-ID:  <53179C45.3020004@sentex.net>

next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
--------------070703050407040104060803
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Not sure if this is even possible in tcpdump, but I was hoping I would 
be able to properly decode the protocol of the encapsulated packets in 
an ipsec connection.

In my test network given 2 endpoints, I establish an ipsec tunnel using 
3des for the encryption. (setkey -D output attached as a text file to 
preserve formatting)

I then send 5 ping packets across the tunnel

ping -c 5 -s 500 -p aa 192.168.99.1

I capture the traffic (see tcpdump #1) and all looks as expected


using the output of setkey, and the command

  tcpdump -s0 -nr ipsec.pcap -E "0x0d8f42b8@64.7.139.200 
3des-cbc:0x1b80416e2267a721f9dbd835b0edbb3e5929bec673e39c5a,0x013ecf38@64.7.134.1 
3des-cbc:0x2b4fd47185d56bef50bf3796ce07b5376317336e9b66550a"

I get what seems to be an incorrect result (see tcpdump #2) as the 
decoded protocol is messed up.

But, if I add -x to the args, looking at the payload, it does indeed 
seem to decode the packets correctly (see tcpdump #3) as I see the ping 
pattern.

  tcpdump -s0 -nr ipsec.pcap -E "0x0d8f42b8@64.7.139.200 
3des-cbc:0x1b80416e2267a721f9dbd835b0edbb3e5929bec673e39c5a,0x013ecf38@64.7.134.1 
3des-cbc:0x2b4fd47185d56bef50bf3796ce07b5376317336e9b66550a" -x

Am I doing something wrong, or is tcpdump just not capable to decoding 
the decrypted packet's protocol ?

	---Mike


-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

--------------070703050407040104060803
Content-Type: text/plain; charset=windows-1252;
 name="tcpdump-ipsec.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="tcpdump-ipsec.txt"

64.7.139.200 64.7.134.1 
        esp mode=tunnel spi=20893496(0x013ecf38) reqid=16385(0x00004001)
        E: 3des-cbc  2b4fd471 85d56bef 50bf3796 ce07b537 6317336e 9b66550a
        A: hmac-sha1  696dce8a 6b837e69 e16e9591 638f6860 480d4725
        seq=0x00000026 replay=4 flags=0x00000000 state=mature 
        created: Mar  5 21:13:51 2014   current: Mar  5 21:14:40 2014
        diff: 49(s)     hard: 28800(s)  soft: 23040(s)
        last: Mar  5 21:14:29 2014      hard: 0(s)      soft: 0(s)
        current: 5168(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 38   hard: 0 soft: 0
        sadb_seq=2 pid=25112 refcnt=2
64.7.134.1 64.7.139.200 
        esp mode=tunnel spi=227492536(0x0d8f42b8) reqid=16386(0x00004002)
        E: 3des-cbc  1b80416e 2267a721 f9dbd835 b0edbb3e 5929bec6 73e39c5a
        A: hmac-sha1  79dc70b0 baef9cf4 bd89a02c c8026984 c652730b
        seq=0x00000026 replay=4 flags=0x00000000 state=mature 
        created: Mar  5 21:13:51 2014   current: Mar  5 21:14:40 2014
        diff: 49(s)     hard: 28800(s)  soft: 23040(s)
        last: Mar  5 21:14:29 2014      hard: 0(s)      soft: 0(s)
        current: 3952(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 38   hard: 0 soft: 0
        sadb_seq=1 pid=25112 refcnt=1
64.7.134.1 64.7.139.200 
        esp mode=tunnel spi=122839746(0x075262c2) reqid=16386(0x00004002)
        E: 3des-cbc  1fafa222 097a66ad dde4d2e4 283e12bf f7f3200a b77bcebf
        A: hmac-sha1  2f0322fc 23882565 6e7a2430 bae3e959 fe64797d
        seq=0x00000000 replay=4 flags=0x00000000 state=mature 
        created: Mar  5 21:10:03 2014   current: Mar  5 21:14:40 2014
        diff: 277(s)    hard: 28800(s)  soft: 23040(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=25112 refcnt=1


#tcpdump #1

21:15:23.143805 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x27), length 564
21:15:23.143941 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x27), length 564
21:15:24.143168 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x28), length 564
21:15:24.143292 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x28), length 564
21:15:25.143934 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x29), length 564
21:15:25.144054 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x29), length 564
21:15:26.145602 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x2a), length 564
21:15:26.145718 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x2a), length 564
21:15:27.146664 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x2b), length 564
21:15:27.146791 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x2b), length 564


#tcpdump #2
tcpdump -s0 -nr ipsec.pcap -E "0x0d8f42b8@64.7.139.200 3des-cbc:0x1b80416e2267a721f9dbd835b0edbb3e5929bec673e39c5a,0x013ecf38@64.7.134.1 3des-cbc:0x2b4fd47185d56bef50bf3796ce07b5376317336e9b66550a"
reading from file ipsec.pcap, link-type EN10MB (Ethernet)
capability mode sandbox enabled
21:15:23.143805 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x27), length 564:  ip-proto-243 413
21:15:23.143941 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x27), length 564:  ip-proto-153 544
21:15:24.143168 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x28), length 564:  ip-proto-246 470
21:15:24.143292 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x28), length 564:  ip-proto-172 404
21:15:25.143934 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x29), length 564:  ip-proto-213 413
21:15:25.144054 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x29), length 564:  ip-proto-83 431
21:15:26.145602 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x2a), length 564:  ip-proto-98 498
21:15:26.145718 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x2a), length 564:  ip-proto-18 353
21:15:27.146664 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x2b), length 564:  ip-proto-80 391
21:15:27.146791 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x2b), length 564:  ip-proto-111 335


#tcpdump #3
 tcpdump -s0 -nr ipsec.pcap -E "0x0d8f42b8@64.7.139.200 3des-cbc:0x1b80416e2267a721f9dbd835b0edbb3e5929bec673e39c5a,0x013ecf38@64.7.134.1 3des-cbc:0x2b4fd47185d56bef50bf3796ce07b5376317336e9b66550a" -x | less
reading from file ipsec.pcap, link-type EN10MB (Ethernet)
capability mode sandbox enabled
21:15:23.143805 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x27), length 564:  ip-proto-243 413
        0x0000:  4500 0248 f11c 0000 3e32 f78f 4007 8601
        0x0010:  4007 8bc8 0d8f 42b8 0000 0027 6cd5 c503
        0x0020:  8302 f347 4500 0210 d108 0000 3f01 c45f
        0x0030:  c0a8 0033 c0a8 6301 0800 eb00 04c0 0000
        0x0040:  5317 93ea 0002 213b aaaa aaaa aaaa aaaa
        0x0050:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0060:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0070:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0080:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0090:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x00a0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x00b0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x00c0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x00d0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x00e0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x00f0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0100:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0110:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0120:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0130:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0140:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0150:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0160:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0170:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0180:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0190:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x01a0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x01b0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x01c0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x01d0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x01e0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x01f0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0200:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0210:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0220:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0230:  aaaa aaaa 0102 0304 0506 0604 dde6 fdf1
        0x0240:  3c29 78e8 3506 85f3
21:15:23.143941 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x27), length 564:  ip-proto-153 544
        0x0000:  4500 0248 2eda 0000 4032 b7d2 4007 8bc8
        0x0010:  4007 8601 013e cf38 0000 0027 6666 5071
        0x0020:  9e11 c711 4500 0210 2ed9 0000 4001 658f
        0x0030:  c0a8 6301 c0a8 0033 0000 f300 04c0 0000
        0x0040:  5317 93ea 0002 213b aaaa aaaa aaaa aaaa
        0x0050:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0060:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0070:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0080:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0090:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x00a0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x00b0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x00c0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x00d0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x00e0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x00f0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0100:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0110:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0120:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0130:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0140:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0150:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0160:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0170:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0180:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0190:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x01a0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x01b0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x01c0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x01d0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x01e0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x01f0:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0200:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0210:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0220:  aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
        0x0230:  aaaa aaaa 0102 0304 0506 0604 4e5b 5adb
        0x0240:  e3d2 ac39 7e6f 0299



--------------070703050407040104060803--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53179C45.3020004>