tcpdump mailing list archives
Re: tool for decrypting ESP packets in pcap files
From: "James E. Flemer" <jflemer () uvm edu>
Date: Wed, 03 Sep 2003 19:29:16 -0400
I just pulled the sources from CVS and checked it out. I like that you can have multiple keys, tho my notion of SPI@IP had the src and dst IP reversed.
However, that still doesn't quite accomplish what I wanted. All that the -E does is print the decrypted payload to the screen. What I need is for the payload to be decrypted, then moved back to the IP payload start, and to update the IP header with the length and protocol with that from the decrypted payload. Then I need the packet to be reanalyzed. To accomplish this, my tool[1] takes on pcap file and the list of spi+keys and writes a new pcap file that doesn't look like ESP at all. Follow?
Now if I could do this: tcpdump -E "file keys" -r encrypted.pcap -w decrypted.pcap tcpdump -v -r decrypted.pcapand see the tcp/udp/icmp etc packets that were previously encrypted then I would have what I need. Instead I do this:
espdecrypt encrypted.pcap decrypted.pcap keys tcpdump -v -r decrypted.pcapBy the way, at the same url[1], is an even more trivial tool pcapconcat, which concatenates two pcap files (it does not merge by time or anything, just simple concatenation).
-James [1] http://www.cs.rpi.edu/~flemej/freebsd/espdecrypt/ Michael Richardson wrote (PGP trimmed):
Hi James, you should have checked out TCPdump CVS head. There is code to do that already in tcpdump. It really goes to show that I need to get off my ass and do another release. Anyone want to fund someone to do regular tcpdump releases? ] Out and about in Ottawa. hmmm... beer. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr () sandelman ottawa on ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another Debian/notebook using, kernel hacking, security guy"); [
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- tool for decrypting ESP packets in pcap files James E. Flemer (Sep 02)
- Re: tool for decrypting ESP packets in pcap files Michael Richardson (Sep 02)
- Re: tool for decrypting ESP packets in pcap files James E. Flemer (Sep 03)
- Re: tool for decrypting ESP packets in pcap files Michael Richardson (Sep 04)
- Re: tool for decrypting ESP packets in pcap files James E. Flemer (Sep 03)
- Re: tool for decrypting ESP packets in pcap files Michael Richardson (Sep 02)