Date: Thu, 06 Mar 2014 16:53:30 -0500 From: Mike Tancsa <mike@sentex.net> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: tcpdump question of ipsec / esp packets Message-ID: <5318EE5A.40207@sentex.net> In-Reply-To: <53179C45.3020004@sentex.net> References: <53179C45.3020004@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/5/2014 4:51 PM, Mike Tancsa wrote:
> Not sure if this is even possible in tcpdump, but I was hoping I would
> be able to properly decode the protocol of the encapsulated packets in
> an ipsec connection.
Not sure its doable with tcpdump, but tshark seems to work. Here are
the steps I used
On FreeBSD, make sure you grab a copy of setkey -D at the time of the
pcap as you will need the encryption keys being currently used (not the psk)
install wireshark/tshark (I use the command line)
in your home directory,
mkdir .wireshark
tshark -G defaultprefs > .wireshark/preferences
edit the file preferences,
# Attempt to decode based on the SAD described hereafter.
# TRUE or FALSE (case-insensitive).
-#esp.enable_encryption_decode: FALSE
+esp.enable_encryption_decode: TRUE
In the same directory, create the file esp_sa based on the output of
setkey -D at the time of the pcap.
"IPv4","64.7.139.200","64.7.134.1","0x013ecf38","TripleDES-CBC
[RFC2451]","0x2b4fd47185d56bef50bf3796ce07b5376317336e9b66550a","HMAC-SHA-1-96
[RFC2404]","0x696dce8a6b837e69e16e9591638f6860480d4725"
"IPv4","64.7.134.1","64.7.139.200","0x0d8f42b8","TripleDES-CBC
[RFC2451]","0x1b80416e2267a721f9dbd835b0edbb3e5929bec673e39c5a","HMAC-SHA-1-96
[RFC2404]","0x79dc70b0baef9cf4bd89a02cc8026984c652730b"
"IPv4","64.7.134.1","64.7.139.200","0x075262c2","TripleDES-CBC
[RFC2451]","0x1fafa222097a66addde4d2e4283e12bff7f3200ab77bcebf","HMAC-SHA-1-96
[RFC2404]","0x2f0322fc238825656e7a2430bae3e959fe64797d"
Note, if you are unsure of the format, you can use the GUI version of
wireshark to generate esp_sa
Then just
tshark -s0 -r ipsec.pcap
1 0.000000 192.168.0.51 -> 192.168.99.1 ICMP 598 Echo (ping)
request id=0x04c0, seq=0/0, ttl=63
2 0.000136 192.168.99.1 -> 192.168.0.51 ICMP 598 Echo (ping) reply
id=0x04c0, seq=0/0, ttl=64
3 0.999363 192.168.0.51 -> 192.168.99.1 ICMP 598 Echo (ping)
request id=0x04c0, seq=1/256, ttl=63
4 0.999487 192.168.99.1 -> 192.168.0.51 ICMP 598 Echo (ping) reply
id=0x04c0, seq=1/256, ttl=64
5 2.000129 192.168.0.51 -> 192.168.99.1 ICMP 598 Echo (ping)
request id=0x04c0, seq=2/512, ttl=63
6 2.000249 192.168.99.1 -> 192.168.0.51 ICMP 598 Echo (ping) reply
id=0x04c0, seq=2/512, ttl=64
7 3.001797 192.168.0.51 -> 192.168.99.1 ICMP 598 Echo (ping)
request id=0x04c0, seq=3/768, ttl=63
8 3.001913 192.168.99.1 -> 192.168.0.51 ICMP 598 Echo (ping) reply
id=0x04c0, seq=3/768, ttl=64
9 4.002859 192.168.0.51 -> 192.168.99.1 ICMP 598 Echo (ping)
request id=0x04c0, seq=4/1024, ttl=63
10 4.002986 192.168.99.1 -> 192.168.0.51 ICMP 598 Echo (ping) reply
id=0x04c0, seq=4/1024, ttl=64
This is rendered moot if you have device enc compiled into your kernel.
However, this was not possible on the one ipsec server endpoint I was
working on.
keywords for the search engines: ipsec esp decrypt tcpdump tshark
wireshark freebsd
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5318EE5A.40207>