Hi there, I am looking to decrypt some IPSec traffic. I have the capture file, the associated .SA file and the encryption key. The problem is that from what I can see every single line of the 33 SAs has to be entered into the ESP preferences in Wireshark - piece by piece. Is there an easier way to get the information from the SA file to the ESP preferences - perhaps via an import or some other means? Having that many SAs means a whole lot of data to manually enter which makes for potential errors. Any information would be appreciated. Thanks, Les asked 02 Nov '15, 08:47  LesJarvis |
One Answer:
There is no import function, but you can create the file manually. See my answer to a similar question:
++UPDATE++ After reading my own post again, I realized that the path to the file is not that clear. It's the in user preferences directory. You'll see the path to that directory in the Help menu.
Take that folder and add the file name esp_sa to it. On Windows it's usually:
unless you are working with profiles in Wireshark, then it's
While xxxxx is the name of the profile. Regards answered 02 Nov '15, 08:51  Kurt Knochner ♦ edited 02 Nov '15, 09:03 |
Thanks Kurt - I appreciate the help! I was able to generate a working esp_sa file by exporting the appropriate data from Excel.
Les
Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).