tcpdump mailing list archives
Re: question about -E parameter decrypting esp packets
From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Thu, 19 Feb 2009 20:35:04 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
"Torsten" == Torsten Krah <tkrah () fachschaft imn htwk-leipzig de> writes:
Torsten> Hi,
Torsten> i am forcing some problems with my ipsec tunnel and want to
Torsten> encrypt the real esp traffic going over the wire.
Torsten> I did succeed only to 50% because a ping looks like this:
Torsten> IP A > B: ESP(spi=0xf33ec601,seq=0x1dd), length 164 IP B >
Torsten> A: ESP(spi=0x089882f5,seq=0x1e3), length 164
Torsten> Trying to use -E (using keys from setkey -D) i can
Torsten> "decrypt" the packet from "B->A", the ping reply.
First, are you capturing the entire packet?
Torsten> Command used:
Torsten> Doing a ping to 192.168.96.24 i issue this command:
Torsten> tcpdump -i eth3 -E "0xf33ec601@192.168.96.24
Torsten> 0x11cc1dbe3de5cb263ce1bc05cd1811abbce880f34a23a7cc" icmp
Second, are you using "netkey" (built-in kernel IPsec)?
If so, then you lose, because they never provided tcpdump hooks for
both before and after (and in between) for the layers of the tunnels.
You see everything.
tcpdump -E is used extensively by the Openswan KLIPS regression
testing system, which is part of every source tree, if you want more
examples than are in tcpdump/tests
- --
] Y'avait une poule de jammé dans l'muffler!!!!!!!!! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr () sandelman ottawa on ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBSZ4IxYCLcPvd0N1lAQJv9AgAt6lqakHybeQ3xkg/xrEr6+VT/1UOynyo
PsT2GkdeOy7LxBRxVy1evncNytQ7a3/SHxNs2B72JwcbbBzXuHeC0az75zUQGhGh
unpv8Hu7XLaJzqMJe+Fx6UilnUjN8w+NSgkzX4pHus+gnZ3ZLI/EkF2R4E/YrZXA
KFZ6x+iyFM323BFS9wm/2dZuVZA5LhqUAn1SMAXuCp/vGgafWs28rTkjcGwA4Iwi
y/mW78yGZJcwyNME3xXdVbMvz607S63YuZwDrqkzhGDg471WQAFh/vkyyS1kFkmr
n8LoxCnanHtvQWPmDKZXPt+cuXK9nyrDPP7YhpkLsmYalvIHZoL1tg==
=S9I4
-----END PGP SIGNATURE-----
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- question about -E parameter decrypting esp packets Torsten Krah (Feb 19)
- Re: question about -E parameter decrypting esp packets Michael Richardson (Feb 19)
- Re: question about -E parameter decrypting esp packets Torsten Krah (Feb 20)
- Re: question about -E parameter decrypting esp packets Arien Vijn (Feb 20)
- Re: question about -E parameter decrypting esp packets Torsten Krah (Feb 20)
- Re: question about -E parameter decrypting esp packets Michael Richardson (Feb 20)
- Re: question about -E parameter decrypting esp packets Torsten Krah (Feb 20)
- Re: question about -E parameter decrypting esp packets Michael Richardson (Feb 19)