Do I need to enable an option in order to see the EIGRP payload encapsulated into an ESP with ESP-NULL encryption?

Question

Good afternoon,

I'm trying to look inside a EIGRP Update packet that is encapsulated over a DMVPN solutions (GRE and ESP with ESP-NULL set). For whatever reason the Data part of the EIGRP is garbage.

Any ideas how to fix this problem? Does Wireshark have a limitation on how far it can look inside an IP packet?

Thanks G.

Answer 1

Hi, From dev mailing list Hi, I'm looking at en NULL encrypted ESP payload, trying to display it in Wireshark, in order to do so The preferences "Attempt to detect/decode NULL encrypted ESP payloads" must be "ticked" ( No supprise) "Attempt to detect/decode encrypted ESP payloads" must be "un-ticked" is that realy corrrect? Or should this patch be applied?

C:\wireshark\trunk>svn diff
Index: epan/dissectors/packet-ipsec.c
===================================================================
--- epan/dissectors/packet-ipsec.c      (revision 889)
+++ epan/dissectors/packet-ipsec.c      (working copy)
@@ -1099,8 +1099,7 @@
#ifdef HAVE_LIBGCRYPT
/* The SAD is not activated */

if(g_esp_enable_null_encryption_decode_heuristic &&
!g_esp_enable_encryption_decode)



if(g_esp_enable_null_encryption_decode_heuristic)
null_encryption_decode_heuristic = TRUE;
if(g_esp_enable_encryption_decode || g_esp_enable_authentication_check)