tcpdump mailing list archives

Re: tcpdump with Linux 2.6 and ipsec/ESP

From: Michael Mueller <m.mueller99 () kay-mueller de>
Date: Tue, 05 Oct 2004 16:53:00 +0200

Michael Richardson wrote:

-----BEGIN PGP SIGNED MESSAGE-----

"Michael" == Michael Mueller <m.mueller99 () kay-mueller de> writes:


    Michael> Is this a Linux or tcpdump / libpcap problem? Does anybody
    Michael> have some further details about it? Is there a more
    Michael> appropriate Linux list to send this question to?

  On Linux 26sec code, there is no interface equivalent to "ipsec0" on

which you can see packets.

The funny thing is that using "tcpdump -i eth0" I can see incomingpackets on eth0 twice. I see the ESP packet and I see the decrypted IPpacket after it went through the ipsec layer (the same way as "tcpdump-i ipsec0" in 2.4 used to show it). This is very handy.


But for outgoing packets I only see ESP.

  The -E option really doesn't help much in real use, because the keys

are not easily divulged.

I use a shell script that runs setkey -D to get the keys and that putsthem into a file for tcpdump -E "file name". This works fine.


  BSDs running KAME stacks have had the same problem, some of the BSDs
have created a special tap point which tcpdump can attach to which is
prior to encryption, and after decryption.

  You will discover that there are other issues with 26sec -- you have
now effectively 3 firewalls (iptables, advanced routing/QoS, and SPD),
and the SPD one is unaware of the other two.

- --
]     "Elmo went to the wrong fundraiser" - The Simpson         |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr () xelerance com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQWKi44qHRg3pndX9AQHZsgP9EhYg3E0DdD2vDVpr7xezWA5ueadgO/No
Ru7PUPEVxTPHk/sQCnssJ0lVf0oIOsBRtI5xXfrXAvXd65z4LiFl/LxCHsF4/erJ
vjo/srUIDsDAsUZk7d82aID3ZdwMHTstT215jCTbxGNdy9Fkg2tf7XFN6nIOoCSq
XzCHpzn3cVI=
=MqZA
-----END PGP SIGNATURE-----
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.


-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.

Current thread:

tcpdump with Linux 2.6 and ipsec/ESP Michael Mueller (Oct 05)
- Re: tcpdump with Linux 2.6 and ipsec/ESP Michael Richardson (Oct 05)
  - Re: tcpdump with Linux 2.6 and ipsec/ESP Michael Mueller (Oct 05)