Wireshark · Wireshark-users: Re: [Wireshark-users] how can I see ESP packets

Wireshark-users: Re: [Wireshark-users] how can I see ESP packets

From: Sake Blok <sake@xxxxxxxxxx>

Date: Wed, 28 Oct 2009 00:33:08 +0100

On Tue, Oct 27, 2009 at 02:16:16PM -0700, Dave Braucht wrote:
>    I am troubleshooting an IPSec VPN pass-through issue on a firewall. I am
>    using wireshark 1.2.1.
>     
>    I want to be able to see the ESP packets. I don't care to decrypt them. I
>    just want to see them in the capture. I see ISAKMP, but not my ESP.
>     
>    Is there a setting that I need to enable to allow me to see the ESP packet
>    (protocol 50)?

Wireshark should show packets with IP protocol 50 as ESP. What I think
might be the issue is that nat-traversal might be used between the vpn
endpoints. This means the ESP traffic is encapsulated either in TCP or
UDP. Do you see other traffic between the endpoints that exchange the
ISAKMP traffic? If so, use "decode as" to dissect the traffic as ESP.
You can do this by decoding the TCP or UDP port to TCPENCAP or UDPENCAP.

For example, I recently decoded UDP port 49000 as UDPENCAP to make the
ESP traffic of a remote access VPN connection visible.

Hope this helps,
Cheers,
     Sake

Follow-Ups:
- [Wireshark-users] New to Wireshark world
  - From: Reddy Nagendra-GKTC37

References:
- [Wireshark-users] how can I see ESP packets
  - From: Dave Braucht

Prev by Date: Re: [Wireshark-users] Wireshark Network protocol analyzer version 1.0.3
Next by Date: Re: [Wireshark-users] Maximum file size?
Previous by thread: [Wireshark-users] how can I see ESP packets
Next by thread: [Wireshark-users] New to Wireshark world
Index(es):
- Date
- Thread