This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Saving IPSec decrypted stream to tcpdump-readable format

0

Hi, I have IPSec encrypted pcap file. My goal is to decrypt it using Wireshark and then export/save the resulting decrypted stream so that it can be read from/analyzed with tcpdump. [Aside: Actually the decrypted stream will be read with a tool that builds on top of tcpdump -- hence it NEEDS to be readable by tcpdump; wireshark won't do]

I used wireshark 2.2.3 on MacBook to decrypt ESP (IPSec) packets just fine. I could "Export to PDUs" and then select "OSI Layer(3)" to get a resulting pcap file. I tried saving that as WireShark pcap, Redhat 6.1 pcap and in both cases when I try to read the file via tcpdump, I get the following error:

$ tcpdump -r temp2.pcap reading from file temp2.pcap, link-type 252 tcpdump: packet printing is not supported for link type 252: use -w

Perhaps I am missing something obvious/basic. Would really appreciate any tip/help to get past this.

Thanks!

asked 23 Feb '17, 23:43

joeshmoe's gravatar image

joeshmoe
6112
accept rate: 0%


One Answer:

0

I think it is like the printout says tcpdump can't handle exported_pdu linktype packets. I think your options are: extend tcpdump to handle the linktype. Change your program to use tshark. Use text2pcap to add (back) a fake transport layer.

answered 24 Feb '17, 01:55

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%