Re: question about -E parameter decrypting esp packets

[Michael Richardson <mcr () sandelman ottawa on ca>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> > > > > "Torsten" == Torsten Krah <tkrah () fachschaft imn htwk-leipzig de> writes:
    Torsten> Am Freitag, 20. Februar 2009 02:35:04 schrieb Michael
    Torsten> Richardson:
    >> First, are you capturing the entire packet?

    Torsten> Hm what do you mean with "entire" packet? How do i know
    Torsten> this?  The command i have used i told - have i have to do
    Torsten> something more to get the entire dump?

  add: "-s 1600 "

    Torsten> Yes i am using netkey - tried the klips stack but can't get
    Torsten> virtual nets only done through NETMAP and DNAT/SNAT targets
    Torsten> work (kernel 2.6.28.6, openswan 2.6.20) - racoon + netkey
    Torsten> does work.

  I don't know what "virtual nets" are.  Is this an overlay network?
  Feel free to contact me about this off this list.

    >> If so, then you lose, because they never provided tcpdump hooks
    >> for both before and after (and in between) for the layers of the
    >> tunnels.  You see everything.

    Torsten> Have i have to see everything or i am going to not see all?

  Depends upon the specific packet flow, but often you see all packets
twice.

    >> tcpdump -E is used extensively by the Openswan KLIPS regression
    >> testing system, which is part of every source tree, if you want
    >> more examples than are in tcpdump/tests

    Torsten> Thx for this hint, i am looked already there but using the
    Torsten> examples there i can't get my packets decrypted, seems like
    Torsten> there my capture file is not whats tcpdump expects.
  
  If the end of the packet is missing, then it can't remove the auth
header, etc.  In theory, one could work around that problem, but the
default capture length probably doesn't include any ciphertext...

- -- 
]     Y'avait une poule de jammé dans l'muffler!!!!!!!!!        |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr () sandelman ottawa on ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBSZ7PZICLcPvd0N1lAQLi3wgAmVTJ9Tu6NP/uh8IrlSM/4EGhUXti1Ojq
Ng5s/WnZi6x5521GhTdExGEAXf46OXb/E1KVdvMkT+hASsvDaAqgZYjIM+hCjYzm
18WhMiQqJ3hsoj6cB4V1d6houJqWqWWcS3SjMxSvxmlHMTCfs+pXohqPRvBGD+c5
ui7xYZ8gfArWG8bpBeQK92rQEW3L/RFdpKYoHg/1obbHcF7q4WWV+co51R2YIung
62EKDdE8JRsf73ZadF4ALPq9k3tUJZ4fOZJkW+oBLqb5nXiJ1l1XMOy/AzB4+Vq4
JJcEWeOqrinisyyDGx3bewVCa/WTzgHqMjgx6jA94veX5zgTfqgJTA==
=eqQR
-----END PGP SIGNATURE-----
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.