This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Do I need to enable an option in order to see the EIGRP payload encapsulated into an ESP with ESP-NULL encryption?

0

Good afternoon,

I'm trying to look inside a EIGRP Update packet that is encapsulated over a DMVPN solutions (GRE and ESP with ESP-NULL set). For whatever reason the Data part of the EIGRP is garbage.

Any ideas how to fix this problem? Does Wireshark have a limitation on how far it can look inside an IP packet?

Thanks G.

asked 13 Oct '11, 11:54

calin_112's gravatar image

calin_112
1112
accept rate: 0%

edited 13 Oct '11, 11:56

Same problem with EIGRP over GRE.

(13 Oct '11, 13:08) calin_112

One Answer:

0

Hi, From dev mailing list Hi, I'm looking at en NULL encrypted ESP payload, trying to display it in Wireshark, in order to do so The preferences "Attempt to detect/decode NULL encrypted ESP payloads" must be "ticked" ( No supprise) "Attempt to detect/decode encrypted ESP payloads" must be "un-ticked" is that realy corrrect? Or should this patch be applied?

C:\wireshark\trunk>svn diff
Index: epan/dissectors/packet-ipsec.c
===================================================================
--- epan/dissectors/packet-ipsec.c      (revision 889)
+++ epan/dissectors/packet-ipsec.c      (working copy)
@@ -1099,8 +1099,7 @@

#ifdef HAVE_LIBGCRYPT /* The SAD is not activated */

  • if(g_esp_enable_null_encryption_decode_heuristic &&
  • !g_esp_enable_encryption_decode)
  • if(g_esp_enable_null_encryption_decode_heuristic) null_encryption_decode_heuristic = TRUE;

    if(g_esp_enable_encryption_decode || g_esp_enable_authentication_check)

answered 13 Oct ‘11, 14:44

Anders's gravatar image

Anders ♦
4.6k952
accept rate: 17%

edited 14 Oct ‘11, 05:47

multipleinterfaces's gravatar image

multipleinte…
1.3k152340