Is there a way to check the correct sequence of ESP packets, looking for lost ones ? Without knowing any key or encryption algorithm, a basic quality check of an encrypted flow could be to check the My first idea would be to extract the fields at the command line and continue with perl, but a nice feature in wireshark would be to colorize the lost packets as in TCP. asked 03 Nov '10, 11:09 S Peters edited 03 Nov '10, 11:10 |
One Answer:
This feature does not yet exist but you can file an enhancement bug report if you wish at https://bugs.wireshark.org/bugzilla/. Until then, you might want to use For example:
While the above is probably the best method to use at this time (or the best method I can think of at least), there are some other things you could do in Wireshark, such as:
If there are no gaps, then the result will be zero; if you do have gaps, then what's left is the sum of all missing ESP sequence numbers. This won't necessarily tell you which ones are missing (unless you happen to get lucky where only one is missing), but it will at least tell you if there are any missing or not. Unfortunately, this method breaks down if there are any duplicate ESP packets. answered 03 Dec '13, 13:02 cmaynard ♦♦ edited 03 Dec '13, 13:03 See also to my answer to this question on SuperUser, Wireshark highlight missing sequence number. There I include a method for using your spreadsheet software to help identify gaps that I think is much easier and more reliable than my original answer here. (06 Apr '17, 09:22) cmaynard ♦♦ For completeness, there has been sequence number analysis for ESP since September 2014, and it is enabled by default. (06 Apr '17, 09:35) MartinM Ah, so there is. Thanks for pointing that out. The version of Wireshark I use most of the time due to the proprietary dissectors we need does not have that option. Updating our dissectors has been on my TODO list so we can finally make use of all of Wireshark's shiny new features again. For anyone else, just use the latest version of Wireshark then. (06 Apr '17, 09:42) cmaynard ♦♦ |
This sounds like a good idea to me as well. Not much to it, it seems. I guess I'm going to have to hack something up myself for now.