tcpdump mailing list archives
Re: question about -E parameter decrypting esp packets
From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Thu, 19 Feb 2009 20:35:04 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
"Torsten" == Torsten Krah <tkrah () fachschaft imn htwk-leipzig de> writes:
Torsten> Hi, Torsten> i am forcing some problems with my ipsec tunnel and want to Torsten> encrypt the real esp traffic going over the wire. Torsten> I did succeed only to 50% because a ping looks like this: Torsten> IP A > B: ESP(spi=0xf33ec601,seq=0x1dd), length 164 IP B > Torsten> A: ESP(spi=0x089882f5,seq=0x1e3), length 164 Torsten> Trying to use -E (using keys from setkey -D) i can Torsten> "decrypt" the packet from "B->A", the ping reply. First, are you capturing the entire packet? Torsten> Command used: Torsten> Doing a ping to 192.168.96.24 i issue this command: Torsten> tcpdump -i eth3 -E "0xf33ec601@192.168.96.24 Torsten> 0x11cc1dbe3de5cb263ce1bc05cd1811abbce880f34a23a7cc" icmp Second, are you using "netkey" (built-in kernel IPsec)? If so, then you lose, because they never provided tcpdump hooks for both before and after (and in between) for the layers of the tunnels. You see everything. tcpdump -E is used extensively by the Openswan KLIPS regression testing system, which is part of every source tree, if you want more examples than are in tcpdump/tests - -- ] Y'avait une poule de jammé dans l'muffler!!!!!!!!! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr () sandelman ottawa on ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Finger me for keys iQEVAwUBSZ4IxYCLcPvd0N1lAQJv9AgAt6lqakHybeQ3xkg/xrEr6+VT/1UOynyo PsT2GkdeOy7LxBRxVy1evncNytQ7a3/SHxNs2B72JwcbbBzXuHeC0az75zUQGhGh unpv8Hu7XLaJzqMJe+Fx6UilnUjN8w+NSgkzX4pHus+gnZ3ZLI/EkF2R4E/YrZXA KFZ6x+iyFM323BFS9wm/2dZuVZA5LhqUAn1SMAXuCp/vGgafWs28rTkjcGwA4Iwi y/mW78yGZJcwyNME3xXdVbMvz607S63YuZwDrqkzhGDg471WQAFh/vkyyS1kFkmr n8LoxCnanHtvQWPmDKZXPt+cuXK9nyrDPP7YhpkLsmYalvIHZoL1tg== =S9I4 -----END PGP SIGNATURE----- - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- question about -E parameter decrypting esp packets Torsten Krah (Feb 19)
- Re: question about -E parameter decrypting esp packets Michael Richardson (Feb 19)
- Re: question about -E parameter decrypting esp packets Torsten Krah (Feb 20)
- Re: question about -E parameter decrypting esp packets Arien Vijn (Feb 20)
- Re: question about -E parameter decrypting esp packets Torsten Krah (Feb 20)
- Re: question about -E parameter decrypting esp packets Michael Richardson (Feb 20)
- Re: question about -E parameter decrypting esp packets Torsten Krah (Feb 20)
- Re: question about -E parameter decrypting esp packets Michael Richardson (Feb 19)