This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

I have configured to mirror traffic from a cisco switch port which is connected to cisco ASA outside interface to monitor IPSEC traffic, but all I can see is an ordinary traffic and no IPSEC

Is there any special configuration in Wireshark to enable IPSEC monitoring?

Thank you

asked 02 Jun '16, 01:15

fgasimzade's gravatar image

fgasimzade
6112
accept rate: 0%


There are several possibilities to consider:

  • you are monitoring a wrong interface of the ASA

  • the ipsec packets do not make it to the monitoring port due to some issue of the switch monitoring implementation

  • the network card, driver, and the capturing library at the capturing PC do not let the ipsec packets through (I guess you haven't forgotten to capture in promiscuous mode)

  • some (usually security) software at the capturing machine interferes with the capturing process

  • the packets do arrive but Wireshark does not dissect them as ipsec ones, perhaps because they use non-default configuration.

Can you check the transport protocol (Cisco uses unusual things like IPSEC over UDP), the ports, and eventually VLAN used, and check whether any packets between the IP addresses in question (ASA's one and VPN client's one) exist in the capture, and if yes, whether they match the protocol and ports of the IPSEC settings in use?

Also, VLAN tags are usually stripped by the network card driver on Windows, so if you capture on Windows and look for a particular VLAN, you may never find it.

permanent link

answered 02 Jun '16, 02:09

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Sorry, it was the promiscuous mode that was not enabled, I thought it is not necessary with port mirroring

Thank you

(02 Jun '16, 03:20) fgasimzade

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(02 Jun '16, 03:34) grahamb ♦

It is the other way round:

  • promiscuous mode is solely a behaviour of the network card which you use to capture. You have to select this mode so that the card would let through to upper protocol stack layers also those incoming unicast frames whose destination MAC address does not match its own one.

  • monitoring on switch is necessary to make the switch copy all frames seen at chosen port(s)/in chosen VLAN(s) to the monitoring port to which a capturing card is connected regardless their destination MAC address. It is necessary as the very purpose of a switch is normally to send to each connected piece of equipment only those frames which are interesting for it.

So if you had a hub, you wouldn't need to set monitoring mode in it, but you still would need promiscuous mode on the capturing card.

(02 Jun '16, 03:40) sindy

I think the IPSEC tunnel is terminated at the ASA outside interface, therefore you are looking at mirrored traffic inside the tunnel. There's nothing Wireshark can do about that.

permanent link

answered 02 Jun '16, 01:21

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Yes, it is terminated on ASA outside interface, but traffic physically is going through the mirrored switch port and I thought capturing traffic from that switch port will let me see IPSEC traffic. Am I wrong?

(02 Jun '16, 01:36) fgasimzade
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×43
×19
×3

question asked: 02 Jun '16, 01:15

question was seen: 3,266 times

last updated: 02 Jun '16, 03:40

p​o​w​e​r​e​d by O​S​Q​A