Use those values for the ESP dissector parameters, as shown in the following screenshots. Proto esp spi 0x0879355b reqid 16421 mode tunnel
For Linux and strongSwan, you'll get that information with this command: To decrypt ESP packets with Wireshark 1.8.0, you need again debug output from your IPSEC implementation. HINT: The “enc key” spans two lines!!Įnc Key: 449e829ea966d421fbcb86bd7ad92e865abab15baa5c672aĮdit -> Preferences -> Protocols -> ISAKMP -> IKEv1 Decryption Table: HINT: If you use any other IPSEC implementation please read the manual how to get that information.Įxtract the values of ICOOKIE and ‘enc key’ WITHOUT spaces. Look for ICOOKIE and enc key in the Pluto debug log. To get the value of "enc key" in the log, you need at least this debug option: -debug-crypt. I tested with strongSwan 4.4 on Linux and with this capture file (with the capture file and the data provided in this answer, you can try it yourself). To get the required IKEv1 parameters for the dissector ( Initiator's COOKIE and Encryption Key) you need debug output from your IPSEC implementation. You can file an enhancement request for this at, possibly with a link to this question. If you want do decrypt any other algorithm, the dissector needs to be extended (Volunteers are welcome!). See: epan\dissectors\packet-isakmp.c: decrypt_payload() First of all: Wireshark 1.8.0 implements only 3DES and DES for IKEv1 decryption (same for version 1.6.8).
0 kommentar(er)
