Ask Your Question

How can I save the payload of ESP as separate packet after decryption ?

asked 2018-04-02 07:32:56 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

I have the encrypted ESP packets. I am able to decrypt these packets after putting necessary keys and algo inside below filed. Edit ->Preferences -> ESP

Basically ESP has the inner packet with IP, UDP/TCP, and other user defined protocol.. In my case, I have a separate tool to parse the user defined protocol. But ESP packets does not work in that tool. The tools works with the wireshark file without ESP.

So can I strip off the IP, UDP and ESP header from the log, so that the log file will be just like as collected before security gateway ?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-04-02 19:30:22 +0000

Anders gravatar image

Use the exported pdu functionality.

edit flag offensive delete link more


Thanks Anders for your reply. In my case, exported pdu functionality works with "OSI layer 3" option.

But it shows additional field called "EXPORTED_PDU". It looks like the tool used for parsing the user defined protocol has to be modified to parse this new format.

pknayak gravatar imagepknayak ( 2018-04-03 05:58:16 +0000 )edit

Not sure that I follow what you are saying. Some meta data from the original file gets saved and interpreted by the "Exported PDU" dissector that meta data "should" contain the next protocol or UDP/TCP port to call as the next dissector. What is displayed after Exported PDU in your trace and what is the protocol following ESP?

Anders gravatar imageAnders ( 2018-04-03 13:20:20 +0000 )edit

Basically ESP payload is exported with "OSI layer 3" option. This is something as below.

Original Packet : Frame->Ethernet -> IP -> ESP -> IP2 -> UDP2 -> Data

After export PDU: Frame->EXPORTEDPDU -> IP2 -> UDP_2 -> Data

But I was expecting something like below, Frame->Ethernet -> IP2 -> UDP2 -> Data

So that the tool used to parse data can work well just after the export without changing the parsing logic of the tool.

Is there any way, I can replace "EXPORTED_PDU" with Ethernet ?

pknayak gravatar imagepknayak ( 2018-04-03 13:58:04 +0000 )edit

No this is what you get, the decrypted data after esp with some metadata from the previous layers saved. Any decoder of this file would have to understand the exported pdu format as wireshark does. The format is documented in the sources.

Anders gravatar imageAnders ( 2018-04-03 15:35:50 +0000 )edit

Thanks for the clarification.

pknayak gravatar imagepknayak ( 2018-04-03 17:50:54 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2018-04-02 07:32:56 +0000

Seen: 36 times

Last updated: Apr 03