This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi, I have an ESP encrypted traffic between two endpoints and Wireshark sees it as UDP, when I left click on one of those packets and click "decode as" ESP doesn't shows as an option. The traffic goes through UDP/4501, maybe it's not recognizing it because it doesn't goes through UDP/4500?

Any thoughts? Thanks! Keliath

asked 24 Jan '17, 11:27

keliath's gravatar image

keliath
46113
accept rate: 100%


Just answered my question, the protocol to decode as is "udpencap". Now I can see the ESP payloads.

Thanks!

permanent link

answered 24 Jan '17, 12:45

keliath's gravatar image

keliath
46113
accept rate: 100%

Nice. I was looking for "ESP" in the "Decode As", but now I too see "UDPENCAP".

(24 Jan '17, 13:02) cmaynard ♦♦

maybe it's not recognizing it because it doesn't goes through UDP/4500?

Correct. Wireshark expects ESP to be on UDP port 4500 only. Wireshark would need to be modified for it to recognize the packets as ESP on UDP/4501. Alternatively, you could run the capture file through a tool like Tracewrangler and replace port 4501 with port 4500 so Wireshark can recognize the packets as ESP.

permanent link

answered 24 Jan '17, 12:09

cmaynard's gravatar image

cmaynard ♦♦
9.3k1038142
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×166
×20
×16

question asked: 24 Jan '17, 11:27

question was seen: 1,284 times

last updated: 24 Jan '17, 13:02

p​o​w​e​r​e​d by O​S​Q​A