Re: question about -E parameter decrypting esp packets

[Torsten Krah <tkrah () fachschaft imn htwk-leipzig de>]

Am Freitag, 20. Februar 2009 02:35:04 schrieb Michael Richardson:
>   First, are you capturing the entire packet?

Hm what do you mean with "entire" packet? How do i know this?
The command i have used i told - have i have to do something more to get the 
entire dump?

>     Torsten> Command used:
>
>     Torsten> Doing a ping to 192.168.96.24 i issue this command:
>
>     Torsten> tcpdump -i eth3 -E "0xf33ec601@192.168.96.24
>     Torsten> 0x11cc1dbe3de5cb263ce1bc05cd1811abbce880f34a23a7cc" icmp
>
>   Second, are you using "netkey" (built-in kernel IPsec)?

Yes i am using netkey - tried the klips stack but can't get virtual nets only 
done through NETMAP and DNAT/SNAT targets work (kernel 2.6.28.6, openswan 
2.6.20) - racoon + netkey does work.

>   If so, then you lose, because they never provided tcpdump hooks for
> both before and after (and in between) for the layers of the tunnels.
>   You see everything.

Have i have to see everything or i am going to not see all? I am confused 
about your answer here.

>   tcpdump -E is used extensively by the Openswan KLIPS regression
> testing system, which is part of every source tree, if you want more
> examples than are in tcpdump/tests

Thx for this hint, i am looked already there but using the examples there i 
can't get my packets decrypted, seems like there my capture file is not whats 
tcpdump expects.

-- 
Bitte senden Sie mir keine Word- oder PowerPoint-Anhänge.
Siehe http://www.gnu.org/philosophy/no-word-attachments.de.html

Really, I'm not out to destroy Microsoft. That will just be a 
completely unintentional side effect."
        -- Linus Torvalds

Attachment: smime.p7s
Description: