tcpdump mailing list archives
Re: tool for decrypting ESP packets in pcap files
From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Thu, 04 Sep 2003 20:42:53 -0400
-----BEGIN PGP SIGNED MESSAGE-----
"James" == James E Flemer <jflemer () uvm edu> writes:
James> I just pulled the sources from CVS and checked it out. I like James> that you James> can have multiple keys, tho my notion of SPI@IP had the src and James> dst IP James> reversed. maybe we can agree on the same format, perhaps even the same code to parse the file? James> list of spi+keys and writes a new pcap file that doesn't look like James> ESP at all. Follow? James> Now if I could do this: James> tcpdump -E "file keys" -r encrypted.pcap -w decrypted.pcap James> tcpdump -v -r decrypted.pcap I see... You want to remove the encapsulation. That might be generally useful as a general tool - not tcpdump, itself, but a new tool. "ipdecap" It could remove all sorts of encapsulation, ipip, gre, l2tp, etc. I use tcpdump -E like this in FreeSWAN testing to produce output like: 192.1.2.23 > 192.1.2.45: ESP(spi=0x12345678,seq=0x1): 192.0.2.1 > 192.0.1.1: icmp: echo request (DF) (ipip-proto-4) 192.1.2.23 > 192.1.2.45: ESP(spi=0x12345678,seq=0x2): 192.0.2.1 > 192.0.1.1: icmp: echo request (DF) (ipip-proto-4) 192.1.2.23 > 192.1.2.45: ESP(spi=0x12345678,seq=0x3): 192.0.2.1 > 192.0.1.1: icmp: echo request (DF) (ipip-proto-4) 192.1.2.23 > 192.1.2.45: ESP(spi=0x12345678,seq=0x4): 192.0.2.1 > 192.0.1.1: icmp: echo request (DF) (ipip-proto-4) 192.1.2.23 > 192.1.2.45: ESP(spi=0x12345678,seq=0x5): 192.0.2.1 > 192.0.1.1: icmp: echo request (DF) (ipip-proto-4) 192.1.2.23 > 192.1.2.45: ESP(spi=0x12345678,seq=0x6): 192.0.2.1 > 192.0.1.1: icmp: echo request (DF) (ipip-proto-4) 192.1.2.23 > 192.1.2.45: ESP(spi=0x12345678,seq=0x7): 192.0.2.1 > 192.0.1.1: icmp: echo request (DF) (ipip-proto-4) 192.1.2.23 > 192.1.2.45: ESP(spi=0x12345678,seq=0x8): 192.0.2.1 > 192.0.1.1: icmp: echo request (DF) (ipip-proto-4) Which I check against what I expected to get. If I used the pcapdecap, then I guess I could test against the original input, but them I might loose testing for seq=, etc... James> By the way, at the same url[1], is an even more trivial tool James> pcapconcat, James> which concatenates two pcap files (it does not merge by time or James> anything, just simple concatenation). Oh, that would be good to have in the tcpsplice directory! ] Out and about in Ottawa. hmmm... beer. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr () sandelman ottawa on ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another Debian/notebook using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys - custom hacks make this fully PGP2 compat iQCVAwUBP1fcDIqHRg3pndX9AQGYSwP/XjqBSO2kbawuPVA295URxLiYhkH5R9r1 cSx1N+25B6/mn0RH6MRxLMXTHVS9gDPOwfKa38yqLOWthZRaTIGQY6IQUceN+pJL wyJW6amku9oITomQCm3WEzr6eR1k7fqt61dOhsarZQv2wpWPBITY5JiAHWVQXDnG /WMeunRri7Y= =IyQ1 -----END PGP SIGNATURE----- - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- tool for decrypting ESP packets in pcap files James E. Flemer (Sep 02)
- Re: tool for decrypting ESP packets in pcap files Michael Richardson (Sep 02)
- Re: tool for decrypting ESP packets in pcap files James E. Flemer (Sep 03)
- Re: tool for decrypting ESP packets in pcap files Michael Richardson (Sep 04)
- Re: tool for decrypting ESP packets in pcap files James E. Flemer (Sep 03)
- Re: tool for decrypting ESP packets in pcap files Michael Richardson (Sep 02)