tcpdump mailing list archives
Re: tool for decrypting ESP packets in pcap files
From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Thu, 04 Sep 2003 20:42:53 -0400
-----BEGIN PGP SIGNED MESSAGE-----
"James" == James E Flemer <jflemer () uvm edu> writes:
James> I just pulled the sources from CVS and checked it out. I like
James> that you
James> can have multiple keys, tho my notion of SPI@IP had the src and
James> dst IP
James> reversed.
maybe we can agree on the same format, perhaps even the same code
to parse the file?
James> list of spi+keys and writes a new pcap file that doesn't look like
James> ESP at all. Follow?
James> Now if I could do this:
James> tcpdump -E "file keys" -r encrypted.pcap -w decrypted.pcap
James> tcpdump -v -r decrypted.pcap
I see... You want to remove the encapsulation.
That might be generally useful as a general tool - not tcpdump, itself,
but a new tool. "ipdecap"
It could remove all sorts of encapsulation, ipip, gre, l2tp, etc.
I use tcpdump -E like this in FreeSWAN testing to produce output like:
192.1.2.23 > 192.1.2.45: ESP(spi=0x12345678,seq=0x1): 192.0.2.1 > 192.0.1.1: icmp: echo request (DF) (ipip-proto-4)
192.1.2.23 > 192.1.2.45: ESP(spi=0x12345678,seq=0x2): 192.0.2.1 > 192.0.1.1: icmp: echo request (DF) (ipip-proto-4)
192.1.2.23 > 192.1.2.45: ESP(spi=0x12345678,seq=0x3): 192.0.2.1 > 192.0.1.1: icmp: echo request (DF) (ipip-proto-4)
192.1.2.23 > 192.1.2.45: ESP(spi=0x12345678,seq=0x4): 192.0.2.1 > 192.0.1.1: icmp: echo request (DF) (ipip-proto-4)
192.1.2.23 > 192.1.2.45: ESP(spi=0x12345678,seq=0x5): 192.0.2.1 > 192.0.1.1: icmp: echo request (DF) (ipip-proto-4)
192.1.2.23 > 192.1.2.45: ESP(spi=0x12345678,seq=0x6): 192.0.2.1 > 192.0.1.1: icmp: echo request (DF) (ipip-proto-4)
192.1.2.23 > 192.1.2.45: ESP(spi=0x12345678,seq=0x7): 192.0.2.1 > 192.0.1.1: icmp: echo request (DF) (ipip-proto-4)
192.1.2.23 > 192.1.2.45: ESP(spi=0x12345678,seq=0x8): 192.0.2.1 > 192.0.1.1: icmp: echo request (DF) (ipip-proto-4)
Which I check against what I expected to get.
If I used the pcapdecap, then I guess I could test against the original
input, but them I might loose testing for seq=, etc...
James> By the way, at the same url[1], is an even more trivial tool
James> pcapconcat,
James> which concatenates two pcap files (it does not merge by time or
James> anything, just simple concatenation).
Oh, that would be good to have in the tcpsplice directory!
] Out and about in Ottawa. hmmm... beer. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr () sandelman ottawa on ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat
iQCVAwUBP1fcDIqHRg3pndX9AQGYSwP/XjqBSO2kbawuPVA295URxLiYhkH5R9r1
cSx1N+25B6/mn0RH6MRxLMXTHVS9gDPOwfKa38yqLOWthZRaTIGQY6IQUceN+pJL
wyJW6amku9oITomQCm3WEzr6eR1k7fqt61dOhsarZQv2wpWPBITY5JiAHWVQXDnG
/WMeunRri7Y=
=IyQ1
-----END PGP SIGNATURE-----
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- tool for decrypting ESP packets in pcap files James E. Flemer (Sep 02)
- Re: tool for decrypting ESP packets in pcap files Michael Richardson (Sep 02)
- Re: tool for decrypting ESP packets in pcap files James E. Flemer (Sep 03)
- Re: tool for decrypting ESP packets in pcap files Michael Richardson (Sep 04)
- Re: tool for decrypting ESP packets in pcap files James E. Flemer (Sep 03)
- Re: tool for decrypting ESP packets in pcap files Michael Richardson (Sep 02)