This is a static archive of our old Q&A Site. Please post any new questions and answers at

How can I decrypt IKE/ISAKMP packets in tshark



I'm looking for a way to decrypt ISAKMP ikev2 messages using tshark. I was able to do through preferences in wireshark. But not sure how will I give that preference with the "-o" option in tshark.

Any help is appreciated.

asked 16 May '15, 18:29

shakti's gravatar image

accept rate: 0%

edited 17 May '15, 07:05

Kurt%20Knochner's gravatar image

Kurt Knochner ♦

2 Answers:


You would use -o if you want to override a current preferences value. You already configured the decryption in Wireshark and if it works there, it will also work in tshark. Both read the same preferences file.

answered 17 May '15, 02:24

Roland's gravatar image

accept rate: 13%


To decrypt ISAKMP/IKE frames, please fill the following file with the same paramaters you entered in the GUI:


File: %APPDATA%\Wireshark\ikev1_decryption_table


File: %APPDATA%\Wireshark\ikev2_decryption_table

If you don't know what to put into those files, first fill in the values in the GUI and then take the generated files as an example.

Then enable ISAKMP/IKE decryption in tshark, you need the following -o options:

tshark -nr ipsec.cap -o isakmp.ikev1_decryption_table:TRUE -V > IKEv1_decrypted.txt
tshark -nr ipsec.cap -o isakmp.ikev2_decryption_table:TRUE -V > IKEv2_decrypted.txt

After that, you'll see the decrypted IKE frames in the output files.

   Encrypted Data (40 bytes)    <================ HERE 
        Type Payload: Identification (5)
            Next payload: Hash (8)
            Payload length: 12
            ID type: IPV4_ADDR (1)
            Protocol ID: Unused
            Port: Unused
            Identification Data:
                ID_IPV4_ADDR: (
        Type Payload: Hash (8)
            Next payload: NONE / No Next Payload  (0)
            Payload length: 24
            Hash DATA: 3321b19237fb86a3231239d2049260d1b4a6e0e7
        Extra data: 00000000

See also my other answers related to IKE/ESP decryption:


answered 17 May '15, 07:03

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 17 May '15, 07:04