This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark decrypt esp packets with command line arguments

0

Hello,

I work with wireshark a lot and I need to decode a LOT of traces that have ESP. It takes a long time to manually enter in all the information necessary in the GUI to decode each different trace, so I am trying to figure out a way to pass the ESP decryption parameters as command line arguments to tshark or wireshark. Or even be able to edit a file like esp_sa where I can just append the necessary keys with a script then open with wireshark. This hasn't worked however, so I am hoping to find someone who knows how to do this.

Any help is appreciated!

Thanks, Jon

asked 11 Jul '13, 14:41

Lemurshark's gravatar image

Lemurshark
26569
accept rate: 0%


One Answer:

0

I just did a quick test, and the following works on my system.

Step #1: Create a file esp_sa in the application data directory of the User. Simply create SA entries in the GUI and then use the created file as a template. Edit -> Preferences -> Protocols -> ESP -> ESP SAs.

Sample File (for the capture file I posted in this question - scroll down to the ESP part):

# This file is automatically generated, DO NOT MODIFY.
"IPv4","192.168.140.205","192.168.140.200","0x1c0d7b38","TripleDES-CBC [RFC2451]","0x39e87c9ca500616b36f2f0d3c7fb688621d7bbf31414abbd","HMAC-SHA-1-96 [RFC2404]","0xc364660133b04a4f20e52000dbe4a6ba154c09c1"

Step #2: run tshark with the following option (additionally to your other options): -o esp.enable_encryption_decode:TRUE. This is not necessary, if you set the same option in the GUI (will be written into the preferences file).

Or even be able to edit a file like esp_sa where I can just append the necessary keys with a script then open with wireshark. This hasn't worked however,

did you get an error message? If no, what exactly did not work?

This is what I get (frame #12/#13 are the decrypted ESP frames).

tshark -nr ipsec.cap

1 0.000000 192.168.140.205 -> 192.168.140.200 ISAKMP 294 0x0000 (0) Identity Protection (Main Mode) 2 0.014556 192.168.140.200 -> 192.168.140.205 ISAKMP 214 0x0000 (0) Identity Protection (Main Mode) 3 0.042441 192.168.140.205 -> 192.168.140.200 ISAKMP 82 0x0000 (0) Informational 4 10.054177 192.168.140.200 -> 192.168.140.205 ISAKMP 214 0x0000 (0) Identity Protection (Main Mode) 5 10.073018 192.168.140.205 -> 192.168.140.200 ISAKMP 270 0x0000 (0) Identity Protection (Main Mode) 6 10.090702 192.168.140.200 -> 192.168.140.205 ISAKMP 270 0x0000 (0) Identity Protection (Main Mode) 7 10.104128 192.168.140.205 -> 192.168.140.200 ISAKMP 110 0x0000 (0) Identity Protection (Main Mode) 8 10.105329 192.168.140.200 -> 192.168.140.205 ISAKMP 110 0x0000 (0) Identity Protection (Main Mode) 9 10.108102 192.168.140.205 -> 192.168.140.200 ISAKMP 198 0x0000 (0) Quick Mode 10 10.109646 192.168.140.200 -> 192.168.140.205 ISAKMP 198 0x0000 (0) Quick Mode 11 10.308616 192.168.140.205 -> 192.168.140.200 ISAKMP 94 0x0000 (0) Quick Mode

12 13.860464 172.16.205.2 -> 172.16.200.2 ICMP 126 0x38e7 (14567),0x57db (22491) Echo (ping) request id=0x0300, seq=16640/65, ttl=127

13 13.861386 172.16.200.2 -> 172.16.205.2 ICMP 126 0xe4d4 (58580),0x3ff7 (16375) Echo (ping) reply id=0x0300, seq=16640/65, ttl=127 (r equest in 12)

Regards
Kurt

answered 11 Jul ‘13, 16:41

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 11 Jul ‘13, 16:45

Thanks Kurt. I tried appending the lines to esp_sa again and it worked. I don’t know what was wrong the first time that it didn’t decode the ESP, but it’s working now! This really helps as I’ve just written a script to decrypt the traces, and it’s much faster than entering them by hand.

(19 Jul ‘13, 12:01) Lemurshark