Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

decryption of ESP traffic in wireshark

From: Mark Ryden <markryde () gmail com>
Date: Fri, 19 Nov 2010 16:28:35 +0200
Hi,
I am using wireshark in the lab and I have a question:
I want to decryption ESP packet in wireshark (I mean seeing the IV,
pad , nexthdr, etc).
I had followed this wiki page:
http://wiki.wireshark.org/ESP_Preferences
and tried without success to decrypt ESP.
I am using openswan at the lab. The /etc/ipsec.conf I am using and
also the output of
setkey -D  are below.

So I went according to that page to:
Edit->Preferences->Protocols->Esp.

And there:
I had put the string "aes-cbc" into both Encryption algorithm entries
, and "HMAC-SHA1-96" into both Authentication algorithm. I had put
into "Authnetication key" #1 and "Authnetication key #2 the string
"pre_shared_key", which is indeed the PSK I am using.
I don't know what to put in "Encryption algorithm" #1  and "Encryption
algorithm" #2. I would appreciate
if anybody can tell me. Also I did not put anything in #SA1 and #SA2.
It seems to me that they are not
mandatory but descriptive. I would appreciate if somebody can ACK/NACK this.

I tried to view ESP packets, but the only thing I see is SPI and seq
number, which is the same as
I saw before applying the preferences settings describe above.

I would appreciate if somebody can tell me what should I do in order
to decrypt  ESP traffic.



The output of setkey -D is:

192.168.1.196[4500] 192.168.1.12[4500]
        esp-udp mode=transport spi=1540919598(0x5bd8912e) reqid=16385(0x00004001)
        E: aes-cbc  0214ce04 e5b5cd26 65d15480 d5e0f3d1
        A: hmac-sha1  cc2cc5d0 9670c10d 60a30328 9ccb3ecc c961698e
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: Nov 19 16:00:52 2010   current: Nov 19 16:01:02 2010
        diff: 10(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=3345 refcnt=0
192.168.1.196[4500] 192.168.1.12[4500]
        esp-udp mode=transport spi=2016713180(0x783499dc) reqid=16385(0x00004001)
        E: aes-cbc  7a1e869a 0f9fb90d fcdf8f8d aef33759
        A: hmac-sha1  00bdfb61 6be2346b 4473c363 b0cbc12d 4422edbc
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: Nov 19 16:00:52 2010   current: Nov 19 16:01:02 2010
        diff: 10(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=2 pid=3345 refcnt=0
192.168.1.12[4500] 192.168.1.196[4500]
        esp-udp mode=transport spi=866281280(0x33a26740) reqid=16385(0x00004001)
        E: aes-cbc  506df2d5 1725cc05 22272968 9b2fadf8
        A: hmac-sha1  f747f04e 23e2c6af 6b747e38 bf576329 463337ae
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: Nov 19 16:00:52 2010   current: Nov 19 16:01:02 2010
        diff: 10(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=3 pid=3345 refcnt=0
192.168.1.12[4500] 192.168.1.196[4500]
        esp-udp mode=transport spi=1678932909(0x64127bad) reqid=16385(0x00004001)
        E: aes-cbc  a00c6693 08a294db 368c74fd e99be382
        A: hmac-sha1  3eb66a25 d542c3d0 94e3122b 9f3109dc 2c569d93
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: Nov 19 16:00:52 2010   current: Nov 19 16:01:02 2010
        diff: 10(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=4 pid=3345 refcnt=0
192.168.1.12[4500] 192.168.1.196[4500]
        esp-udp mode=tunnel spi=3509961183(0xd135c1df) reqid=16385(0x00004001)
        E: aes-cbc  770da11e d3c1e803 6d985d83 f12b7c99
        A: hmac-sha1  4e0d15a9 7ee6bf9d d504f77d ff706a8f 7b866b53
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: Nov 19 16:00:45 2010   current: Nov 19 16:01:02 2010
        diff: 17(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=5 pid=3345 refcnt=0
192.168.1.196[4500] 192.168.1.12[4500]
        esp-udp mode=tunnel spi=2711480013(0xa19de6cd) reqid=16385(0x00004001)
        E: aes-cbc  83e20d75 cebc36f8 a46b053f 934a634c
        A: hmac-sha1  e8c55177 f72e568e f940357c b5530369 f0df1bcd
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: Nov 19 16:00:45 2010   current: Nov 19 16:01:02 2010
        diff: 17(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=3345 refcnt=0

ipsec.conf:
===========
# /etc/ipsec.conf - Openswan IPsec configuration file

version 2.0     

config setup
        protostack="netkey"
        nat_traversal=yes
  plutodebug="all"
        plutostderrlog=/var/log/pluto.log
        
conn host-to-host
  type=tunnel
  authby=secret
  left=192.168.1.196
  right=192.168.1.12
  auto=start
 forceencaps=yes


Rgs,
Mark
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: