This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decapsulation of OpenBSD enc frames

0

I recently upgraded to 2.2.0 on the Mac and noticed that I no longer get OpenBSD ENC Encapsulated captures automatically decapsulated and have not found a manual way to do so either. The ones I routinely use are taken on pfSense's IPsec interface. The data is there, but all I see in wireshark now is Protocol ENC. Frames show as [Protocols in frame: enc:data] In older versions they would appear as, for example, [Protocols in frame: enc:ip:udp:data] with the data portion decoded and displayed.

$ capinfos -E packetcapture.cap
File name:           packetcapture.cap
File encapsulation:  OpenBSD enc(4) encapsulating interface

Is there a way to tell latest Wireshark to decapsulate these captures again?

asked 05 Oct '16, 16:14

backsnarf's gravatar image

backsnarf
11114
accept rate: 0%

Still an issue on 2.2.3. Anyone know how to trigger automatic decapsulation of the plaintext data in these captures?

(29 Dec '16, 09:39) backsnarf

Either a sample capture of a full bug report would be needed to help this along.

(29 Dec '16, 10:48) Jaap ♦
1

Created bug with a sample capture file. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13279

(29 Dec '16, 12:52) labrat

One Answer:

1

The solution is to upgrade to Wireshark 2.2.4, which contains a fix for this bug.

answered 31 Dec '16, 02:39

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thank you so very much. Confirmed working again in 2.2.4-RC.

(31 Dec '16, 13:41) backsnarf