tcpdump mailing list archives
Re: question about -E parameter decrypting esp packets
From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Fri, 20 Feb 2009 10:42:29 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
"Torsten" == Torsten Krah <tkrah () fachschaft imn htwk-leipzig de> writes:
Torsten> Am Freitag, 20. Februar 2009 02:35:04 schrieb Michael Torsten> Richardson: >> First, are you capturing the entire packet? Torsten> Hm what do you mean with "entire" packet? How do i know Torsten> this? The command i have used i told - have i have to do Torsten> something more to get the entire dump? add: "-s 1600 " Torsten> Yes i am using netkey - tried the klips stack but can't get Torsten> virtual nets only done through NETMAP and DNAT/SNAT targets Torsten> work (kernel 2.6.28.6, openswan 2.6.20) - racoon + netkey Torsten> does work. I don't know what "virtual nets" are. Is this an overlay network? Feel free to contact me about this off this list. >> If so, then you lose, because they never provided tcpdump hooks >> for both before and after (and in between) for the layers of the >> tunnels. You see everything. Torsten> Have i have to see everything or i am going to not see all? Depends upon the specific packet flow, but often you see all packets twice. >> tcpdump -E is used extensively by the Openswan KLIPS regression >> testing system, which is part of every source tree, if you want >> more examples than are in tcpdump/tests Torsten> Thx for this hint, i am looked already there but using the Torsten> examples there i can't get my packets decrypted, seems like Torsten> there my capture file is not whats tcpdump expects. If the end of the packet is missing, then it can't remove the auth header, etc. In theory, one could work around that problem, but the default capture length probably doesn't include any ciphertext... - -- ] Y'avait une poule de jammé dans l'muffler!!!!!!!!! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr () sandelman ottawa on ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Finger me for keys iQEVAwUBSZ7PZICLcPvd0N1lAQLi3wgAmVTJ9Tu6NP/uh8IrlSM/4EGhUXti1Ojq Ng5s/WnZi6x5521GhTdExGEAXf46OXb/E1KVdvMkT+hASsvDaAqgZYjIM+hCjYzm 18WhMiQqJ3hsoj6cB4V1d6houJqWqWWcS3SjMxSvxmlHMTCfs+pXohqPRvBGD+c5 ui7xYZ8gfArWG8bpBeQK92rQEW3L/RFdpKYoHg/1obbHcF7q4WWV+co51R2YIung 62EKDdE8JRsf73ZadF4ALPq9k3tUJZ4fOZJkW+oBLqb5nXiJ1l1XMOy/AzB4+Vq4 JJcEWeOqrinisyyDGx3bewVCa/WTzgHqMjgx6jA94veX5zgTfqgJTA== =eqQR -----END PGP SIGNATURE----- - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- question about -E parameter decrypting esp packets Torsten Krah (Feb 19)
- Re: question about -E parameter decrypting esp packets Michael Richardson (Feb 19)
- Re: question about -E parameter decrypting esp packets Torsten Krah (Feb 20)
- Re: question about -E parameter decrypting esp packets Arien Vijn (Feb 20)
- Re: question about -E parameter decrypting esp packets Torsten Krah (Feb 20)
- Re: question about -E parameter decrypting esp packets Michael Richardson (Feb 20)
- Re: question about -E parameter decrypting esp packets Torsten Krah (Feb 20)
- Re: question about -E parameter decrypting esp packets Michael Richardson (Feb 19)