Hi, I have an ESP encrypted traffic between two endpoints and Wireshark sees it as UDP, when I left click on one of those packets and click "decode as" ESP doesn't shows as an option. The traffic goes through UDP/4501, maybe it's not recognizing it because it doesn't goes through UDP/4500?
Any thoughts? Thanks! Keliath
asked 24 Jan '17, 11:27
Just answered my question, the protocol to decode as is "udpencap". Now I can see the ESP payloads.
answered 24 Jan '17, 12:45
maybe it's not recognizing it because it doesn't goes through UDP/4500?
Correct. Wireshark expects ESP to be on UDP port 4500 only. Wireshark would need to be modified for it to recognize the packets as ESP on UDP/4501. Alternatively, you could run the capture file through a tool like Tracewrangler and replace port 4501 with port 4500 so Wireshark can recognize the packets as ESP.
answered 24 Jan '17, 12:09