How can I decrypt IKE/ISAKMP packets in tshark

Question

Hi,

I'm looking for a way to decrypt ISAKMP ikev2 messages using tshark. I was able to do through preferences in wireshark. But not sure how will I give that preference with the "-o" option in tshark.

Any help is appreciated.

Answer 1

You would use -o if you want to override a current preferences value. You already configured the decryption in Wireshark and if it works there, it will also work in tshark. Both read the same preferences file.

Answer 2

To decrypt ISAKMP/IKE frames, please fill the following file with the same paramaters you entered in the GUI:

IKEv1:

File: %APPDATA%\Wireshark\ikev1_decryption_table

IKEv2:

File: %APPDATA%\Wireshark\ikev2_decryption_table

If you don't know what to put into those files, first fill in the values in the GUI and then take the generated files as an example.

Then enable ISAKMP/IKE decryption in tshark, you need the following -o options:

tshark -nr ipsec.cap -o isakmp.ikev1_decryption_table:TRUE -V > IKEv1_decrypted.txt
tshark -nr ipsec.cap -o isakmp.ikev2_decryption_table:TRUE -V > IKEv2_decrypted.txt

After that, you'll see the decrypted IKE frames in the output files.

   Encrypted Data (40 bytes)    <================ HERE 
        Type Payload: Identification (5)
            Next payload: Hash (8)
            Payload length: 12
            ID type: IPV4_ADDR (1)
            Protocol ID: Unused
            Port: Unused
            Identification Data:192.168.140.205
                ID_IPV4_ADDR: 192.168.140.205 (192.168.140.205)
        Type Payload: Hash (8)
            Next payload: NONE / No Next Payload  (0)
            Payload length: 24
            Hash DATA: 3321b19237fb86a3231239d2049260d1b4a6e0e7
        Extra data: 00000000

See also my other answers related to IKE/ESP decryption:

https://ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets
https://ask.wireshark.org/questions/22874/tshark-decrypt-esp-packets-with-command-line-arguments

Regards
Kurt