Wireshark · Wireshark-users: [Wireshark-users] decryption of ESP traffic in wireshark

Wireshark-users: [Wireshark-users] decryption of ESP traffic in wireshark

From: Mark Ryden <markryde@xxxxxxxxx>

Date: Fri, 19 Nov 2010 16:28:35 +0200

Hi,
I am using wireshark in the lab and I have a question:
I want to decryption ESP packet in wireshark (I mean seeing the IV,
pad , nexthdr, etc).
I had followed this wiki page:
http://wiki.wireshark.org/ESP_Preferences
and tried without success to decrypt ESP.
I am using openswan at the lab. The /etc/ipsec.conf I am using and
also the output of
setkey -D  are below.

So I went according to that page to:
Edit->Preferences->Protocols->Esp.

And there:
I had put the string "aes-cbc" into both Encryption algorithm entries
, and "HMAC-SHA1-96" into both Authentication algorithm. I had put
into "Authnetication key" #1 and "Authnetication key #2 the string
"pre_shared_key", which is indeed the PSK I am using.
I don't know what to put in "Encryption algorithm" #1  and "Encryption
algorithm" #2. I would appreciate
if anybody can tell me. Also I did not put anything in #SA1 and #SA2.
It seems to me that they are not
mandatory but descriptive. I would appreciate if somebody can ACK/NACK this.

I tried to view ESP packets, but the only thing I see is SPI and seq
number, which is the same as
I saw before applying the preferences settings describe above.

I would appreciate if somebody can tell me what should I do in order
to decrypt  ESP traffic.



The output of setkey -D is:

192.168.1.196[4500] 192.168.1.12[4500]
	esp-udp mode=transport spi=1540919598(0x5bd8912e) reqid=16385(0x00004001)
	E: aes-cbc  0214ce04 e5b5cd26 65d15480 d5e0f3d1
	A: hmac-sha1  cc2cc5d0 9670c10d 60a30328 9ccb3ecc c961698e
	seq=0x00000000 replay=32 flags=0x00000000 state=mature
	created: Nov 19 16:00:52 2010	current: Nov 19 16:01:02 2010
	diff: 10(s)	hard: 0(s)	soft: 0(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=1 pid=3345 refcnt=0
192.168.1.196[4500] 192.168.1.12[4500]
	esp-udp mode=transport spi=2016713180(0x783499dc) reqid=16385(0x00004001)
	E: aes-cbc  7a1e869a 0f9fb90d fcdf8f8d aef33759
	A: hmac-sha1  00bdfb61 6be2346b 4473c363 b0cbc12d 4422edbc
	seq=0x00000000 replay=32 flags=0x00000000 state=mature
	created: Nov 19 16:00:52 2010	current: Nov 19 16:01:02 2010
	diff: 10(s)	hard: 0(s)	soft: 0(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=2 pid=3345 refcnt=0
192.168.1.12[4500] 192.168.1.196[4500]
	esp-udp mode=transport spi=866281280(0x33a26740) reqid=16385(0x00004001)
	E: aes-cbc  506df2d5 1725cc05 22272968 9b2fadf8
	A: hmac-sha1  f747f04e 23e2c6af 6b747e38 bf576329 463337ae
	seq=0x00000000 replay=32 flags=0x00000000 state=mature
	created: Nov 19 16:00:52 2010	current: Nov 19 16:01:02 2010
	diff: 10(s)	hard: 0(s)	soft: 0(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=3 pid=3345 refcnt=0
192.168.1.12[4500] 192.168.1.196[4500]
	esp-udp mode=transport spi=1678932909(0x64127bad) reqid=16385(0x00004001)
	E: aes-cbc  a00c6693 08a294db 368c74fd e99be382
	A: hmac-sha1  3eb66a25 d542c3d0 94e3122b 9f3109dc 2c569d93
	seq=0x00000000 replay=32 flags=0x00000000 state=mature
	created: Nov 19 16:00:52 2010	current: Nov 19 16:01:02 2010
	diff: 10(s)	hard: 0(s)	soft: 0(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=4 pid=3345 refcnt=0
192.168.1.12[4500] 192.168.1.196[4500]
	esp-udp mode=tunnel spi=3509961183(0xd135c1df) reqid=16385(0x00004001)
	E: aes-cbc  770da11e d3c1e803 6d985d83 f12b7c99
	A: hmac-sha1  4e0d15a9 7ee6bf9d d504f77d ff706a8f 7b866b53
	seq=0x00000000 replay=32 flags=0x00000000 state=mature
	created: Nov 19 16:00:45 2010	current: Nov 19 16:01:02 2010
	diff: 17(s)	hard: 0(s)	soft: 0(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=5 pid=3345 refcnt=0
192.168.1.196[4500] 192.168.1.12[4500]
	esp-udp mode=tunnel spi=2711480013(0xa19de6cd) reqid=16385(0x00004001)
	E: aes-cbc  83e20d75 cebc36f8 a46b053f 934a634c
	A: hmac-sha1  e8c55177 f72e568e f940357c b5530369 f0df1bcd
	seq=0x00000000 replay=32 flags=0x00000000 state=mature
	created: Nov 19 16:00:45 2010	current: Nov 19 16:01:02 2010
	diff: 17(s)	hard: 0(s)	soft: 0(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=0 pid=3345 refcnt=0

ipsec.conf:
===========
# /etc/ipsec.conf - Openswan IPsec configuration file

version	2.0	

config setup
	protostack="netkey"
	nat_traversal=yes
  plutodebug="all"
	plutostderrlog=/var/log/pluto.log
	
conn host-to-host
  type=tunnel
  authby=secret
  left=192.168.1.196
  right=192.168.1.12
  auto=start
 forceencaps=yes


Rgs,
Mark

Prev by Date: Re: [Wireshark-users] How to know which MAC address is the true client that connect to the wireless network?
Next by Date: [Wireshark-users] TCP throughput graph question
Previous by thread: [Wireshark-users] [HITB-Announce] HITB2011AMS -- Call For Papers now Open
Next by thread: [Wireshark-users] TCP throughput graph question
Index(es):
- Date
- Thread