This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I work with wireshark a lot and I need to decode a LOT of traces that have ESP. It takes a long time to manually enter in all the information necessary in the GUI to decode each different trace, so I am trying to figure out a way to pass the ESP decryption parameters as command line arguments to tshark or wireshark. Or even be able to edit a file like esp_sa where I can just append the necessary keys with a script then open with wireshark. This hasn't worked however, so I am hoping to find someone who knows how to do this.

Any help is appreciated!

Thanks, Jon

asked 11 Jul '13, 14:41

Lemurshark's gravatar image

Lemurshark
26569
accept rate: 0%


I just did a quick test, and the following works on my system.

Step #1: Create a file esp_sa in the application data directory of the User. Simply create SA entries in the GUI and then use the created file as a template. Edit -> Preferences -> Protocols -> ESP -> ESP SAs.

Sample File (for the capture file I posted in this question - scroll down to the ESP part):

# This file is automatically generated, DO NOT MODIFY.
"IPv4","192.168.140.205","192.168.140.200","0x1c0d7b38","TripleDES-CBC [RFC2451]","0x39e87c9ca500616b36f2f0d3c7fb688621d7bbf31414abbd","HMAC-SHA-1-96 [RFC2404]","0xc364660133b04a4f20e52000dbe4a6ba154c09c1"

Step #2: run tshark with the following option (additionally to your other options): -o esp.enable_encryption_decode:TRUE. This is not necessary, if you set the same option in the GUI (will be written into the preferences file).

Or even be able to edit a file like esp_sa where I can just append the necessary keys with a script then open with wireshark. This hasn't worked however,

did you get an error message? If no, what exactly did not work?

This is what I get (frame #12/#13 are the decrypted ESP frames).

tshark -nr ipsec.cap

  1   0.000000 192.168.140.205 -> 192.168.140.200 ISAKMP 294 0x0000 (0) Identity Protection (Main Mode)
  2   0.014556 192.168.140.200 -> 192.168.140.205 ISAKMP 214 0x0000 (0) Identity Protection (Main Mode)
  3   0.042441 192.168.140.205 -> 192.168.140.200 ISAKMP 82 0x0000 (0) Informational
  4  10.054177 192.168.140.200 -> 192.168.140.205 ISAKMP 214 0x0000 (0) Identity Protection (Main Mode)
  5  10.073018 192.168.140.205 -> 192.168.140.200 ISAKMP 270 0x0000 (0) Identity Protection (Main Mode)
  6  10.090702 192.168.140.200 -> 192.168.140.205 ISAKMP 270 0x0000 (0) Identity Protection (Main Mode)
  7  10.104128 192.168.140.205 -> 192.168.140.200 ISAKMP 110 0x0000 (0) Identity Protection (Main Mode)
  8  10.105329 192.168.140.200 -> 192.168.140.205 ISAKMP 110 0x0000 (0) Identity Protection (Main Mode)
  9  10.108102 192.168.140.205 -> 192.168.140.200 ISAKMP 198 0x0000 (0) Quick Mode
 10  10.109646 192.168.140.200 -> 192.168.140.205 ISAKMP 198 0x0000 (0) Quick Mode
 11  10.308616 192.168.140.205 -> 192.168.140.200 ISAKMP 94 0x0000 (0) Quick Mode

  12  13.860464 172.16.205.2 -> 172.16.200.2 ICMP 126 0x38e7 (14567),0x57db (22491) Echo (ping) request  id=0x0300, seq=16640/65, ttl=127

  13  13.861386 172.16.200.2 -> 172.16.205.2 ICMP 126 0xe4d4 (58580),0x3ff7 (16375) Echo (ping) reply    id=0x0300, seq=16640/65, ttl=127 (r
equest in 12)

Regards
Kurt

permanent link

answered 11 Jul '13, 16:41

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 11 Jul '13, 16:45

Thanks Kurt. I tried appending the lines to esp_sa again and it worked. I don't know what was wrong the first time that it didn't decode the ESP, but it's working now! This really helps as I've just written a script to decrypt the traces, and it's much faster than entering them by hand.

(19 Jul '13, 12:01) Lemurshark
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×62
×37
×20
×1

question asked: 11 Jul '13, 14:41

question was seen: 5,669 times

last updated: 19 Jul '13, 12:01

p​o​w​e​r​e​d by O​S​Q​A