This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

PACKET CAPTURE with IPSEC ENABLED

0

Hi, If IPSEC is enabled , can PCAP traces be captured and decoded using wireshark? Thanks

asked 20 Jan '14, 22:36

Surajitm's gravatar image

Surajitm
11334
accept rate: 0%


One Answer:

0

well, it depends....

.... on the OS and the way the IPSEC subsystem is integrated into the kernel. On some systems there is a virtual ipsec interface (like Linux KLIPS). If you capture traffic on that virtual interface, you will see the traffic in clear. On other systems (Linux 'native' IPSEC stack since kernel 2.6) you will see parts of the traffic in clear and other parts only encrypted (strange thing, but that's due to the internal architecture of the IPSEC stack and the way libpcap hooks into the kernel). Again on other systems (e.g. Windows) it might be totally different and dependent on the VPN software in use (we have had several reports about problems with WinPcap and VPN clients ).

So, there is no clear answer to you question, as you did not tell us the system (OS and VPN software) you are talking about.

Even if you add that information, it's hard to answer the question, unless one of the members here has the same 'configuration' and is able to test it. But then, why don't you test it yourself?

Simply try to capture traffic

  • without IPSEC tunnel
  • with an established IPSEC tunnel

and see what you get on your system with your IPSEC configuration ;-))

Regards
Kurt

answered 21 Jan '14, 04:06

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%