Ethereal-dev: Re: [Ethereal-dev] patch for isakmp dissector

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Wed, 29 Aug 2001 17:33:10 -0700 (PDT)
> 1. I've added a call to the AH dissector in the same way that you've added
> ESP - there's nothing significant about AH - if the 4 bytes after the
> non-ike-marker are zero'ed, then it's AH. Otherwise, it's ESP and it is its
> SPI value. Please see attached.

According to

	http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-00.txt

the 4 bytes after the non-ESP marker are the "AH Envelope", with the
version, IP header length, and identification field from the original IP
packet, and the AH header follows that; "dissect_ah()" will dissect the
AH header, but not the AH envelope, so presumably there should be code
that does something such as

	if (tree) {
	  proto_tree_add_text(isakmp_tree, tvb, offset, 1,
			      "AH Envelope Version: %u",
			      tvb_get_guint8(tvb, offset) >> 4);
	}
	offset += 1;
	if (tree) {
	  proto_tree_add_text(isakmp_tree, tvb, offset, 1,
			      "AH Envelope Header Length: %u",
			      (tvb_get_guint8(tvb, offset) & 0xF)*4);
	}
	offset += 1;
	if (tree) {
	  proto_tree_add_text(isakmp_tree, tvb, offset, 2,
			      "AH Envelope Identification: 0x%04X",
			      tvb_get_ntohs(tvb, offset));
	}
	offset += 2;

before the call to the AH dissector.