I'd like to see decryption of encrypted ISAKMP traffic. I entered the cookie and the key into the IKEv1 Decryption Table, but in the ISAKMP packets, the "Encrypted Data" doesn't have the clicky-box to expand and see it decrypted. I'm using Wireshark 1.8.4 with GCrypt on Windows 7. Is there something else I need to do? asked 07 Feb '13, 14:55  scherertim edited 07 Feb '13, 14:59 |
One Answer:
please read my answer of the following questions to see if there is anything that can help you.
Regards answered 07 Feb '13, 16:27  Kurt Knochner ♦ showing 5 of 6 show 1 more comments |
I did read that, thanks. No luck though. I'm using Windows IPSec rather than StrongSwan/Linux, so I copied the cookie from the Wireshark packets and got the key by converting the preshared string to hex with a helpful web calculator.
can you please post the URL for that web calculator? If it just 'converted' your PSK to hex, then you have two problems:
No worries about the security, it's just a test setup. The calculator is http://easycalculation.com/ascii-hex.php. I removed the spaces before entering it into Wireshark. But if the only problem is that I gave Wireshark the wrong key, wouldn't it decrypt the data and end up with garbage? It seems like it didn't even try, as if I missed a "Decrypt Now" button or something.
I guess so, however I never intentionally tried it with a wrong key. You can try it with the sample file and the crypto parameters in my answer to the question I mentioned, to see if IKE decryption works on your system.
BTW: What is your Wireshark version (wireshark -v)?
Version 1.8.4 (SVN Rev 46250 from /trunk-1.8). I get the same result with the sample file: no clickable box to show the decrypted data.
O.K. I just tried it with 1.8.4 and you are right. It does not work any longer. I'll file a bug report and look into the code changes myself.
@Gerald Combs: The screenshots in my answer are missing (they were in the part "Result without decryption:" and "Result with decryption:". Is it possible to restore them?