tcpdump mailing list archives
Re: tcpdump with Linux 2.6 and ipsec/ESP
From: Michael Mueller <m.mueller99 () kay-mueller de>
Date: Tue, 05 Oct 2004 16:53:00 +0200
Michael Richardson wrote:
-----BEGIN PGP SIGNED MESSAGE-----"Michael" == Michael Mueller <m.mueller99 () kay-mueller de> writes:Michael> Is this a Linux or tcpdump / libpcap problem? Does anybody Michael> have some further details about it? Is there a more Michael> appropriate Linux list to send this question to? On Linux 26sec code, there is no interface equivalent to "ipsec0" onwhich you can see packets.
The funny thing is that using "tcpdump -i eth0" I can see incoming packets on eth0 twice. I see the ESP packet and I see the decrypted IP packet after it went through the ipsec layer (the same way as "tcpdump -i ipsec0" in 2.4 used to show it). This is very handy.
But for outgoing packets I only see ESP.
The -E option really doesn't help much in real use, because the keysare not easily divulged.
I use a shell script that runs setkey -D to get the keys and that puts them into a file for tcpdump -E "file name". This works fine.
BSDs running KAME stacks have had the same problem, some of the BSDs have created a special tap point which tcpdump can attach to which is prior to encryption, and after decryption. You will discover that there are other issues with 26sec -- you have now effectively 3 firewalls (iptables, advanced routing/QoS, and SPD), and the SPD one is unaware of the other two. - -- ] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [ ] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[ ] mcr () xelerance com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQWKi44qHRg3pndX9AQHZsgP9EhYg3E0DdD2vDVpr7xezWA5ueadgO/No Ru7PUPEVxTPHk/sQCnssJ0lVf0oIOsBRtI5xXfrXAvXd65z4LiFl/LxCHsF4/erJ vjo/srUIDsDAsUZk7d82aID3ZdwMHTstT215jCTbxGNdy9Fkg2tf7XFN6nIOoCSq XzCHpzn3cVI= =MqZA -----END PGP SIGNATURE----- - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
- This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- tcpdump with Linux 2.6 and ipsec/ESP Michael Mueller (Oct 05)
- Re: tcpdump with Linux 2.6 and ipsec/ESP Michael Richardson (Oct 05)
- Re: tcpdump with Linux 2.6 and ipsec/ESP Michael Mueller (Oct 05)
- Re: tcpdump with Linux 2.6 and ipsec/ESP Michael Richardson (Oct 05)