This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark - realtime simultaneously capture & decrypt ESP packets

0

Hello there,

I'm creating a C# program in which network traffic from Android device will be forwarded to my PC and be captured using tshark command line. This is how it works

In the first CMD window

adb shell "tcpdump -i any -n -U -w - not port 1122 | nc -l 1122"

In the second CMD window

adb forward tcp:1122 tcp:1122 && nc 127.0.0.1 1122  | tshark -i - -Y "sip||esp" -d tcp.port=="5000-65535",sip -d udp.port=="5000-65535",sip -T text -l -O "sip,esp"

This runs perfectly showing all SIP messages from/to my device in case of no ESP encryption.

But in case ESP encrypted, I can only see 2 SIP packets with full contents (i.e. REGISTER & 401 Unauthorized) when encryption is not enabled. After that, all packets are ESP encrypted data.

When IPsec is enabled, I can get Encrypt Key from my device and append to esp_sa file. But tshark seems only read this file at first time running. So, the newly added key is not being used to decode during capturing.

I would like to ask if anyone knows how to work around in this case.

Thanks in advance!

asked 07 Mar '17, 19:18

Viet-Anh%20Dinh's gravatar image

Viet-Anh Dinh
6224
accept rate: 0%

edited 07 Mar '17, 19:22