From owner-freebsd-questions@FreeBSD.ORG  Thu Mar  6 21:53:35 2014
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 1946DA00
 for <freebsd-questions@freebsd.org>; Thu,  6 Mar 2014 21:53:35 +0000 (UTC)
Received: from smarthost1.sentex.ca (smarthost1.sentex.ca
 [IPv6:2607:f3e0:0:1::12])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id CCD6EFC7
 for <freebsd-questions@freebsd.org>; Thu,  6 Mar 2014 21:53:34 +0000 (UTC)
Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca
 [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a])
 by smarthost1.sentex.ca (8.14.7/8.14.7) with ESMTP id s26LrXOD046350
 for <freebsd-questions@freebsd.org>; Thu, 6 Mar 2014 16:53:33 -0500 (EST)
 (envelope-from mike@sentex.net)
Message-ID: <5318EE5A.40207@sentex.net>
Date: Thu, 06 Mar 2014 16:53:30 -0500
From: Mike Tancsa <mike@sentex.net>
Organization: Sentex Communications
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: freebsd-questions <freebsd-questions@freebsd.org>
Subject: Re: tcpdump question of ipsec / esp packets
References: <53179C45.3020004@sentex.net>
In-Reply-To: <53179C45.3020004@sentex.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.74
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2014 21:53:35 -0000

On 3/5/2014 4:51 PM, Mike Tancsa wrote:
> Not sure if this is even possible in tcpdump, but I was hoping I would
> be able to properly decode the protocol of the encapsulated packets in
> an ipsec connection.



Not sure its doable with tcpdump, but tshark seems to work.  Here are 
the steps I used

On FreeBSD, make sure you grab a copy of setkey -D at the time of the 
pcap as you will need the encryption keys being currently used (not the psk)

install wireshark/tshark (I use the command line)

in your home directory,
mkdir .wireshark

tshark -G defaultprefs > .wireshark/preferences

edit the file preferences,


  # Attempt to decode based on the SAD described hereafter.
  # TRUE or FALSE (case-insensitive).
-#esp.enable_encryption_decode: FALSE
+esp.enable_encryption_decode: TRUE


In the same directory, create the file esp_sa based on the output of 
setkey -D at the time of the pcap.

"IPv4","64.7.139.200","64.7.134.1","0x013ecf38","TripleDES-CBC 
[RFC2451]","0x2b4fd47185d56bef50bf3796ce07b5376317336e9b66550a","HMAC-SHA-1-96 
[RFC2404]","0x696dce8a6b837e69e16e9591638f6860480d4725"
"IPv4","64.7.134.1","64.7.139.200","0x0d8f42b8","TripleDES-CBC 
[RFC2451]","0x1b80416e2267a721f9dbd835b0edbb3e5929bec673e39c5a","HMAC-SHA-1-96 
[RFC2404]","0x79dc70b0baef9cf4bd89a02cc8026984c652730b"
"IPv4","64.7.134.1","64.7.139.200","0x075262c2","TripleDES-CBC 
[RFC2451]","0x1fafa222097a66addde4d2e4283e12bff7f3200ab77bcebf","HMAC-SHA-1-96 
[RFC2404]","0x2f0322fc238825656e7a2430bae3e959fe64797d"


Note, if you are unsure of the format, you can use the GUI version of 
wireshark to generate esp_sa

Then just
tshark -s0 -r ipsec.pcap

   1   0.000000 192.168.0.51 -> 192.168.99.1 ICMP 598 Echo (ping) 
request  id=0x04c0, seq=0/0, ttl=63
   2   0.000136 192.168.99.1 -> 192.168.0.51 ICMP 598 Echo (ping) reply 
    id=0x04c0, seq=0/0, ttl=64
   3   0.999363 192.168.0.51 -> 192.168.99.1 ICMP 598 Echo (ping) 
request  id=0x04c0, seq=1/256, ttl=63
   4   0.999487 192.168.99.1 -> 192.168.0.51 ICMP 598 Echo (ping) reply 
    id=0x04c0, seq=1/256, ttl=64
   5   2.000129 192.168.0.51 -> 192.168.99.1 ICMP 598 Echo (ping) 
request  id=0x04c0, seq=2/512, ttl=63
   6   2.000249 192.168.99.1 -> 192.168.0.51 ICMP 598 Echo (ping) reply 
    id=0x04c0, seq=2/512, ttl=64
   7   3.001797 192.168.0.51 -> 192.168.99.1 ICMP 598 Echo (ping) 
request  id=0x04c0, seq=3/768, ttl=63
   8   3.001913 192.168.99.1 -> 192.168.0.51 ICMP 598 Echo (ping) reply 
    id=0x04c0, seq=3/768, ttl=64
   9   4.002859 192.168.0.51 -> 192.168.99.1 ICMP 598 Echo (ping) 
request  id=0x04c0, seq=4/1024, ttl=63
  10   4.002986 192.168.99.1 -> 192.168.0.51 ICMP 598 Echo (ping) reply 
    id=0x04c0, seq=4/1024, ttl=64


This is rendered moot if you have device enc compiled into your kernel. 
However, this was not possible on the one ipsec server endpoint I was 
working on.

keywords for the search engines: ipsec esp decrypt tcpdump tshark 
wireshark freebsd

	---Mike


-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/