Ethereal-users: Re: [Ethereal-users] Parsing protocols inside ESP packets?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Guy Harris" <gharris@xxxxxxxxx>
Date: Mon, 30 Aug 2004 13:25:50 -0700 (PDT)
Helen C. OBoyle said:

> I have captured a bunch of ESP packets which contain SMB and other traffic
> via NetMon, which seems to have been nice enough to decrypt the packets
> for me, so that when I open the capture files in Ethereal, I see
> recognizable fields in the packets.

I assume you meant "when I open the capture files in NetMon".

They're not necessarily being decrypted by the NetMon application.  Is the
ESP traffic traffic being sent by or received by the machine running
NetMon?  If so, perhaps the networking stack or the NetMon driver for
capturing is supplying outgoing packets before they're encrypted and
supplying incoming packets after they're decrypted (i.e., the decrypting
of incoming packets is being done by the OS's IPSec code, and outgoing
packets are being "captured" before being *en*crypted so no decryption is
necessary).

If so, then Ethereal would need an option of some sort to specify whether
ESP packets contain encrypted or non-encrypted payload, and...

> Has someone already implemented this?

...if somebody's implemented it, they haven't send it in for inclusion in
Ethereal (nor has anybody contributed code to decrypt encrypted packets).