This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello there,

I'm creating a C# program in which network traffic from Android device will be forwarded to my PC and be captured using tshark command line. This is how it works

In the first CMD window

adb shell "tcpdump -i any -n -U -w - not port 1122 | nc -l 1122"

In the second CMD window

adb forward tcp:1122 tcp:1122 && nc 127.0.0.1 1122  | tshark -i - -Y "sip||esp" -d tcp.port=="5000-65535",sip -d udp.port=="5000-65535",sip -T text -l -O "sip,esp"

This runs perfectly showing all SIP messages from/to my device in case of no ESP encryption.

But in case ESP encrypted, I can only see 2 SIP packets with full contents (i.e. REGISTER & 401 Unauthorized) when encryption is not enabled. After that, all packets are ESP encrypted data.

When IPsec is enabled, I can get Encrypt Key from my device and append to esp_sa file. But tshark seems only read this file at first time running. So, the newly added key is not being used to decode during capturing.

I would like to ask if anyone knows how to work around in this case.

Thanks in advance!

asked 07 Mar '17, 19:18

Viet-Anh%20Dinh's gravatar image

Viet-Anh Dinh
6224
accept rate: 0%

edited 07 Mar '17, 19:22

Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×165
×37
×12

question asked: 07 Mar '17, 19:18

question was seen: 1,260 times

last updated: 07 Mar '17, 19:22

p​o​w​e​r​e​d by O​S​Q​A