Ask Your Question
0

How to specify the path or content of esp_sa corresponding to the pcap file in the tshark command

asked 2023-04-26 01:50:04 +0000

liuang gravatar image

updated 2023-04-26 01:58:35 +0000

I need to use the tshark command to parse the ESP information in pcap. When I put the esp_sa file in the root directory of wireshark, yes, it can be parsed and the output contains ESP information. But I have a requirement now, I can't put it in the default directory of wireshark, because I may have two pcap concurrent parsing, so I need to specify the esp_sa file corresponding to each pcap to be parsed in the tshark command path or content of esp_sa, is there any way to do this? (I tried using -o esp.sa_file:<esp_sa_path> to add the path of esp_sa to the command, but tshark told me that this parameter is not supported)

edit retag flag offensive close merge delete

Comments

Question is, why do you need two esp_sa files? The SA's are keyed by the {Protocol, Src IP, Dest IP, SPI} tuple, so even if you use the same file, the distinction can be made anyway.

Jaap gravatar imageJaap ( 2023-04-26 05:06:52 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-04-26 03:47:00 +0000

Chuckc gravatar image

updated 2023-04-26 03:53:55 +0000

esp_sa is a UAT stored in the profile directory.
You could have a profile per esp_sa file and specify which profile to use on the tshark command line:

-C < configuration profile> Run with the given configuration profile.

image description image description

packet-ipsec.c:

  esp_uat = uat_new("ESP SAs",
            sizeof(uat_esp_sa_record_t),    /* record size */
            "esp_sa",                       /* filename */
            TRUE,                           /* from_profile */
...
edit flag offensive delete link more

Comments

Thank you for your suggestion, I have tested that your method is indeed feasible, but I still have a request, can I customize the path of the profiles file instead of the specified path under the user ~/.config/wireshark/profiles , the esp_sa file in my environment cannot be placed in this path

liuang gravatar imageliuang ( 2023-05-11 06:50:47 +0000 )edit

There is an environment variable (WIRESHARK_CONFIG_DIR) to point to a different directory for personal configuration files. See man page wireshark(1).

Chuckc gravatar imageChuckc ( 2023-05-13 11:54:23 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2023-04-26 01:50:04 +0000

Seen: 353 times

Last updated: Apr 26 '23