tcpdump mailing list archives
issue on decrypting ESP traffic whit tcpdump -E option
From: "Enrique Echeverria" <enriqueoctavio () gmail com>
Date: Fri, 2 Feb 2007 11:55:19 -0200
Hi members of this list: I've had some trouble using tcpdump -E's option, and I would really apretiate if some of you can help me (I'm sure some of you dealed with this problem more than once) The issue is as follows: 1.- I have a ESP tunnel between two hosts with public interfaces A.A.A.A and B.B.B.B (host A.A.A.A is mine, the other is not). I'm using ipsec-tools and racoon for raising up this tunnel. 2.- I have a local ip a.a.a.a which comunicates with a remote IP b.b.b.bthrough the tunnel A.A.A.A-B.B.B.B. The "little detail" is that a.a.a.a and A.A.A.A IP's are at the same host, at distinct interfaces. In summary, mi host has the following ip's cofigured: eth0->A.A.A.A and eht1:1->a.a.a.a. The tunnel comunication works perfectly well (my problem arises when I nedd to capture the unencripted traffic, as is explained in 3). 3.- I need to dump the unencrypted traffic between a.a.a.a and b.b.b.b into a file, so ass to show some people a network problem this comunication is having. My OS is Linux Debian 1:3.3.5-13 (sarge), kernel 2.6.8-2-686-smp, and I'm ussing ipsec-tools and raccon 0.5.2-1 from the stable release. I'm also ussing tcpdump 3.8.3-5sarge1. I've done the following tests/captures without any success: 1.- Inoncently, I thought that the unencripted traffic could be captured at the eht1:1 in my host, but the OS is smart enough to notice that once decripted the traffic is "incomming", and It doesn't send it to the network interface (if I execute a tcpdump -i eth1:1 b.b.b.b, I capture nothig) 2.- I also tested capturing traffic in eth0 interface, but being able to capture only "one way" unentripted traffic (if I execute a tcpdump -i eth0 b.b.b.b, I capture only b.b.b.b -> a.a.a.a trafic, but at least unencripted). I don't know why this happens, but I supponse that the order in witch the routing tables, SPD, SAD are applied has something to do with it ..... 3. Im trying now to decript the ESP traffic between A.A.A.A and B.B.B.Busing tcpdump -E's option, but without any success (I left this option last, because I knew it would be torublesome....). I'll explain more in detail, 3.: The tcpdump man page says it must be used as "-E spi@ipaddralgo:secret,...", what seems straightforward, but : First of all, I executed "Setkey -D", so as to obtain the correct spi and secret parameters, and y executed tcpdump in the following way: "-E 0xa985fbe5@A.A.A.A 3des-cbc:0xXXXXXXX" (being sure that XXXXXXX is the esp secret hex value). This gave me a tcpdump sintax error, and the only way to avoid it, is replacing with a ',' the space between both arguments (although this space is strictly what I understand must be included, reading man page): "-E 0xXXXX@A.A.A.A,3des-cbc:0xXXXXXXX". This time, tcpdump runns, but it prints the following error "failed to decode espsecret: 0xa985fbe5@A.A.A.A" and the traffic it captures is totally encripted The curious thing about this, is that if I repeat last, eliminating the ":", or the "@", tcpdump doesn't print any syntax error, but when the first ESP packet is captured, it prints the "failed to decode espsecret: 0xa985fbe5@A.A.A.A" error, and traffic is totally encripted again. I also made sure that I'm running "RFC2406 ESP", as tcpdump man page says that "RFC1827 ESP" can't be decripted.... So as to drop the possibity of IKE key re-negotiation problem, I tested it in two other test linux boxes with manual keying (wihout racoon), without success..... I'm really stuck with this, and it's really important for me so as to demostrate that some network problems that I'm having, are because an application tunning on b.b.b.b is not working properlly (obviouslly people on b.b.b.b side said they can't give me a traffic dump.......) Had any of you successfully descripted a ESP tunnel ???? ... In this case, what have you done ???? Had any of you successfully descripted a ESP tunnel whit tcpdump -E option ????.... In this case, what is the exact sintax you used ???? Had any of you successfully captured the unencripted traffic in another way, with the same host's configuration I'm ussing ??? ..... In this case, what have you done ???? Well, thank you VERY MUCH in addvandce for reading all my mail, hope thar someone can help me, and hope I can help you on the future also .... this is how this works... Regards: Enrique - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- issue on decrypting ESP traffic whit tcpdump -E option Enrique Echeverria (Feb 02)