First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Could tshark capture the de-encrypted packet when receiving ESP?

We encounter one problem: When using tshark to capture the packets on one interface(virtio_net). The tshark could capture one ESP packet, and also one packet without ESP header, that has been de-encrypted by kernel to plain packet.

How the tshark captured the second de-encrypted packet?

Thanks, Mark

mzhan017's avatar
3
mzhan017
asked 2024-04-09 00:23:53 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Seems expected for tunnel mode, from code of kernel. xfrm_input

....
    if (x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL) {
        decaps = 1;
        break;
    }
....
    if (decaps) {
        if (skb->sp)
            skb->sp->olen = 0;
        skb_dst_drop(skb);
        gro_cells_receive(&gro_cells, skb);
        return 0;
mzhan017's avatar
3
mzhan017
answered 2024-04-09 01:22:46 +0000
grahamb's avatar
23.8k
grahamb
updated 2024-04-09 07:23:12 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer