From owner-freebsd-questions@FreeBSD.ORG Wed Mar 5 21:51:03 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 71B42792 for ; Wed, 5 Mar 2014 21:51:03 +0000 (UTC) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 19BE3287 for ; Wed, 5 Mar 2014 21:51:03 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.7/8.14.7) with ESMTP id s25Lp2fi012084 for ; Wed, 5 Mar 2014 16:51:02 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <53179C45.3020004@sentex.net> Date: Wed, 05 Mar 2014 16:51:01 -0500 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-questions Subject: tcpdump question of ipsec / esp packets Content-Type: multipart/mixed; boundary="------------070703050407040104060803" X-Scanned-By: MIMEDefang 2.74 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Mar 2014 21:51:03 -0000 This is a multi-part message in MIME format. --------------070703050407040104060803 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Not sure if this is even possible in tcpdump, but I was hoping I would be able to properly decode the protocol of the encapsulated packets in an ipsec connection. In my test network given 2 endpoints, I establish an ipsec tunnel using 3des for the encryption. (setkey -D output attached as a text file to preserve formatting) I then send 5 ping packets across the tunnel ping -c 5 -s 500 -p aa 192.168.99.1 I capture the traffic (see tcpdump #1) and all looks as expected using the output of setkey, and the command tcpdump -s0 -nr ipsec.pcap -E "0x0d8f42b8@64.7.139.200 3des-cbc:0x1b80416e2267a721f9dbd835b0edbb3e5929bec673e39c5a,0x013ecf38@64.7.134.1 3des-cbc:0x2b4fd47185d56bef50bf3796ce07b5376317336e9b66550a" I get what seems to be an incorrect result (see tcpdump #2) as the decoded protocol is messed up. But, if I add -x to the args, looking at the payload, it does indeed seem to decode the packets correctly (see tcpdump #3) as I see the ping pattern. tcpdump -s0 -nr ipsec.pcap -E "0x0d8f42b8@64.7.139.200 3des-cbc:0x1b80416e2267a721f9dbd835b0edbb3e5929bec673e39c5a,0x013ecf38@64.7.134.1 3des-cbc:0x2b4fd47185d56bef50bf3796ce07b5376317336e9b66550a" -x Am I doing something wrong, or is tcpdump just not capable to decoding the decrypted packet's protocol ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ --------------070703050407040104060803 Content-Type: text/plain; charset=windows-1252; name="tcpdump-ipsec.txt" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="tcpdump-ipsec.txt" 64.7.139.200 64.7.134.1 esp mode=tunnel spi=20893496(0x013ecf38) reqid=16385(0x00004001) E: 3des-cbc 2b4fd471 85d56bef 50bf3796 ce07b537 6317336e 9b66550a A: hmac-sha1 696dce8a 6b837e69 e16e9591 638f6860 480d4725 seq=0x00000026 replay=4 flags=0x00000000 state=mature created: Mar 5 21:13:51 2014 current: Mar 5 21:14:40 2014 diff: 49(s) hard: 28800(s) soft: 23040(s) last: Mar 5 21:14:29 2014 hard: 0(s) soft: 0(s) current: 5168(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 38 hard: 0 soft: 0 sadb_seq=2 pid=25112 refcnt=2 64.7.134.1 64.7.139.200 esp mode=tunnel spi=227492536(0x0d8f42b8) reqid=16386(0x00004002) E: 3des-cbc 1b80416e 2267a721 f9dbd835 b0edbb3e 5929bec6 73e39c5a A: hmac-sha1 79dc70b0 baef9cf4 bd89a02c c8026984 c652730b seq=0x00000026 replay=4 flags=0x00000000 state=mature created: Mar 5 21:13:51 2014 current: Mar 5 21:14:40 2014 diff: 49(s) hard: 28800(s) soft: 23040(s) last: Mar 5 21:14:29 2014 hard: 0(s) soft: 0(s) current: 3952(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 38 hard: 0 soft: 0 sadb_seq=1 pid=25112 refcnt=1 64.7.134.1 64.7.139.200 esp mode=tunnel spi=122839746(0x075262c2) reqid=16386(0x00004002) E: 3des-cbc 1fafa222 097a66ad dde4d2e4 283e12bf f7f3200a b77bcebf A: hmac-sha1 2f0322fc 23882565 6e7a2430 bae3e959 fe64797d seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Mar 5 21:10:03 2014 current: Mar 5 21:14:40 2014 diff: 277(s) hard: 28800(s) soft: 23040(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=25112 refcnt=1 #tcpdump #1 21:15:23.143805 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x27), length 564 21:15:23.143941 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x27), length 564 21:15:24.143168 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x28), length 564 21:15:24.143292 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x28), length 564 21:15:25.143934 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x29), length 564 21:15:25.144054 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x29), length 564 21:15:26.145602 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x2a), length 564 21:15:26.145718 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x2a), length 564 21:15:27.146664 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x2b), length 564 21:15:27.146791 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x2b), length 564 #tcpdump #2 tcpdump -s0 -nr ipsec.pcap -E "0x0d8f42b8@64.7.139.200 3des-cbc:0x1b80416e2267a721f9dbd835b0edbb3e5929bec673e39c5a,0x013ecf38@64.7.134.1 3des-cbc:0x2b4fd47185d56bef50bf3796ce07b5376317336e9b66550a" reading from file ipsec.pcap, link-type EN10MB (Ethernet) capability mode sandbox enabled 21:15:23.143805 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x27), length 564: ip-proto-243 413 21:15:23.143941 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x27), length 564: ip-proto-153 544 21:15:24.143168 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x28), length 564: ip-proto-246 470 21:15:24.143292 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x28), length 564: ip-proto-172 404 21:15:25.143934 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x29), length 564: ip-proto-213 413 21:15:25.144054 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x29), length 564: ip-proto-83 431 21:15:26.145602 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x2a), length 564: ip-proto-98 498 21:15:26.145718 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x2a), length 564: ip-proto-18 353 21:15:27.146664 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x2b), length 564: ip-proto-80 391 21:15:27.146791 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x2b), length 564: ip-proto-111 335 #tcpdump #3 tcpdump -s0 -nr ipsec.pcap -E "0x0d8f42b8@64.7.139.200 3des-cbc:0x1b80416e2267a721f9dbd835b0edbb3e5929bec673e39c5a,0x013ecf38@64.7.134.1 3des-cbc:0x2b4fd47185d56bef50bf3796ce07b5376317336e9b66550a" -x | less reading from file ipsec.pcap, link-type EN10MB (Ethernet) capability mode sandbox enabled 21:15:23.143805 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x27), length 564: ip-proto-243 413 0x0000: 4500 0248 f11c 0000 3e32 f78f 4007 8601 0x0010: 4007 8bc8 0d8f 42b8 0000 0027 6cd5 c503 0x0020: 8302 f347 4500 0210 d108 0000 3f01 c45f 0x0030: c0a8 0033 c0a8 6301 0800 eb00 04c0 0000 0x0040: 5317 93ea 0002 213b aaaa aaaa aaaa aaaa 0x0050: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0060: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0070: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0080: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0090: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x00a0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x00b0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x00c0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x00d0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x00e0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x00f0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0100: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0110: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0120: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0130: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0140: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0150: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0160: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0170: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0180: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0190: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x01a0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x01b0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x01c0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x01d0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x01e0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x01f0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0200: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0210: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0220: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0230: aaaa aaaa 0102 0304 0506 0604 dde6 fdf1 0x0240: 3c29 78e8 3506 85f3 21:15:23.143941 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x27), length 564: ip-proto-153 544 0x0000: 4500 0248 2eda 0000 4032 b7d2 4007 8bc8 0x0010: 4007 8601 013e cf38 0000 0027 6666 5071 0x0020: 9e11 c711 4500 0210 2ed9 0000 4001 658f 0x0030: c0a8 6301 c0a8 0033 0000 f300 04c0 0000 0x0040: 5317 93ea 0002 213b aaaa aaaa aaaa aaaa 0x0050: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0060: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0070: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0080: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0090: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x00a0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x00b0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x00c0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x00d0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x00e0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x00f0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0100: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0110: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0120: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0130: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0140: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0150: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0160: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0170: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0180: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0190: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x01a0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x01b0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x01c0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x01d0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x01e0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x01f0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0200: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0210: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0220: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa 0x0230: aaaa aaaa 0102 0304 0506 0604 4e5b 5adb 0x0240: e3d2 ac39 7e6f 0299 --------------070703050407040104060803--