Hi, I have an ESP encrypted traffic between two endpoints and Wireshark sees it as UDP, when I left click on one of those packets and click "decode as" ESP doesn't shows as an option. The traffic goes through UDP/4501, maybe it's not recognizing it because it doesn't goes through UDP/4500? Any thoughts? Thanks! Keliath asked 24 Jan '17, 11:27  keliath |
2 Answers:
Just answered my question, the protocol to decode as is "udpencap". Now I can see the ESP payloads. Thanks! answered 24 Jan '17, 12:45 keliath |
maybe it's not recognizing it because it doesn't goes through UDP/4500? Correct. Wireshark expects ESP to be on UDP port 4500 only. Wireshark would need to be modified for it to recognize the packets as ESP on UDP/4501. Alternatively, you could run the capture file through a tool like Tracewrangler and replace port 4501 with port 4500 so Wireshark can recognize the packets as ESP. answered 24 Jan '17, 12:09  cmaynard ♦♦ |
Nice. I was looking for "ESP" in the "Decode As", but now I too see "UDPENCAP".