First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to decrypt Ipsec protocol that have esp with command line

Hello, I work with wireshark a lot and I need to decode a LOT of traces that have ESP. It takes a long time to manually enter in all the information necessary in the GUI to decode each different trace, so I am trying to figure out a way to pass the ESP decryption parameters as command line arguments to tshark or wireshark. Or even be able to edit a file like esp_sa.

Thanks, surya

updated 2018-11-14 08:26:35 +0000
This post is a wiki. Anyone with karma >750 is welcome to improve it.
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

If you have messages in your traces that describe the SPI/keys, you could write a dissector for those messages and call esp_sa_record_add_from_dissector()(see https://code.wireshark.org/review/git...).

MartinM's avatar
197
MartinM
answered 2018-11-15 22:04:38 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2018-11-15 23:53:11 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer