This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi, I have IPSec encrypted pcap file. My goal is to decrypt it using Wireshark and then export/save the resulting decrypted stream so that it can be read from/analyzed with tcpdump. [Aside: Actually the decrypted stream will be read with a tool that builds on top of tcpdump -- hence it NEEDS to be readable by tcpdump; wireshark won't do]

I used wireshark 2.2.3 on MacBook to decrypt ESP (IPSec) packets just fine. I could "Export to PDUs" and then select "OSI Layer(3)" to get a resulting pcap file. I tried saving that as WireShark pcap, Redhat 6.1 pcap and in both cases when I try to read the file via tcpdump, I get the following error:

$ tcpdump -r temp2.pcap reading from file temp2.pcap, link-type 252 tcpdump: packet printing is not supported for link type 252: use -w

Perhaps I am missing something obvious/basic. Would really appreciate any tip/help to get past this.

Thanks!

asked 23 Feb '17, 23:43

joeshmoe's gravatar image

joeshmoe
6112
accept rate: 0%


I think it is like the printout says tcpdump can't handle exported_pdu linktype packets. I think your options are: extend tcpdump to handle the linktype. Change your program to use tshark. Use text2pcap to add (back) a fake transport layer.

permanent link

answered 24 Feb '17, 01:55

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×19

question asked: 23 Feb '17, 23:43

question was seen: 1,080 times

last updated: 24 Feb '17, 01:55

p​o​w​e​r​e​d by O​S​Q​A