Ethereal-users: [Ethereal-users] RE: Ethereal and ISAKMP/ESP sniffing

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Francisco Alcoba (TS/EEM)" <francisco.alcoba@xxxxxxxxxxxx>
Date: Thu, 28 Oct 2004 07:27:24 +0200
>Hensley, Bill (Space Technology) wrote

>I've got a problem with using Ethereal.  I used an earlier Ethereal (0.7, I think) to monitor an >IPSec session between a number of machines on a hub-connected network.

>I am now using Ethereal (0.10.6) on a Windows 2000 box with a NIC that is known to operate in 
>promiscuous mode.  The machine is seeing all of the broadcast traffic on the wire, but it's not 
>seeing anything else unless it's directed specifically at the machine.  I've run through the 
>troubleshooting on the website, read the FAQs, and extensively searched Google (web and groups).  
>One guy here thinks that it has something to do with IPSec encrypting the headers of the packets, 
>but since we can's see the clear pings either I don't think it's an IPSec problem.  

Hi,

I know you have said clearly "hub-connected network" but, are you really sure? If, e.g., one port is configured at 10 Mbps and the others at 100 Mbps the hub might be bridging between them. And it that happens anyway in the path between you and the box that is sending the traffic, you won't see it.

I would say it is quite safe to assume you are not having any IPSEC-related problem if you are not seeing clear-text pings; however, since you are in a secured environment, I would check that your sniffing box has no configuration related to that - if you are sniffing in a VPN interface you will see no packet at all unless your computer can decode them; if you have a firewall installed it might be eating up the traffic...-

If that's OK, then either your box is not receiving the packets or it is not showing them to you. It should be easy to check the first if you can start something traffic intensive between two other boxes -like a big file transfer- and compare the activity leds; I know it sounds primitive, but it usually works. For the second, it might help to install another sniffer, and see what happens; how do you know your NIC is operating in promiscuous mode if you are not seeing the packets?