First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How can I save the payload of ESP as separate packet after decryption ?

  • retag add tags

I have the encrypted ESP packets. I am able to decrypt these packets after putting necessary keys and algo inside below filed. Edit ->Preferences -> ESP

Basically ESP has the inner packet with IP, UDP/TCP, and other user defined protocol.. In my case, I have a separate tool to parse the user defined protocol. But ESP packets does not work in that tool. The tools works with the wireshark file without ESP.

So can I strip off the IP, UDP and ESP header from the log, so that the log file will be just like as collected before security gateway ?

asked 2018-04-02 07:32:56 +0000
This post is a wiki. Anyone with karma >750 is welcome to improve it.
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

1

Use the exported pdu functionality.

Anders's avatar
5k
Anders
answered 2018-04-02 19:30:22 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks Anders for your reply. In my case, exported pdu functionality works with "OSI layer 3" option.

But it shows additional field called "EXPORTED_PDU". It looks like the tool used for parsing the user defined protocol has to be modified to parse this new format.

pknayak's avatar pknayak (2018-04-03 05:58:16 +0000) edit
more
  • delete

Not sure that I follow what you are saying. Some meta data from the original file gets saved and interpreted by the "Exported PDU" dissector that meta data "should" contain the next protocol or UDP/TCP port to call as the next dissector. What is displayed after Exported PDU in your trace and what is the protocol following ESP?

Anders's avatar Anders (2018-04-03 13:20:20 +0000) edit
more
  • delete

Basically ESP payload is exported with "OSI layer 3" option. This is something as below.

Original Packet : Frame->Ethernet -> IP -> ESP -> IP2 -> UDP2 -> Data

After export PDU: Frame->EXPORTEDPDU -> IP2 -> UDP_2 -> Data

But I was expecting something like below, Frame->Ethernet -> IP2 -> UDP2 -> Data

So that the tool used to parse data can work well just after the export without changing the parsing logic of the tool.

Is there any way, I can replace "EXPORTED_PDU" with Ethernet ?

pknayak's avatar pknayak (2018-04-03 13:58:04 +0000) edit
more
  • delete

No this is what you get, the decrypted data after esp with some metadata from the previous layers saved. Any decoder of this file would have to understand the exported pdu format as wireshark does. The format is documented in the sources.

Anders's avatar Anders (2018-04-03 15:35:50 +0000) edit
more
  • delete

Thanks for the clarification.

pknayak's avatar pknayak (2018-04-03 17:50:54 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer