How to decrypt ISAKMP / IKEv2 traffic by using tshark?
Hi all,
I want to decrypt a .pcap which has an IPsec communication establishment (with IKE_AUTH and INFORMATIONAL fragment encrypted) and save the result in a .pcap file with all these packets decrypted. I'm using Strongswan so I have the ikev2_decryption_table file and with Wireshark I'm able to decrypt this pcap but I would want to do that using tshark or editcap or any other useful tool.
I saw that tshark allow preferences to specify some things like in wireshark GUI but it does not work for me.
I tried to run something like:
tshark -r original_pcap.pcap -o isakmp.ikev2_decryption_table:ike_decryption_table_from_strongswan -w test.pcap
but the IKEv2 packets are not decrypting at all.
Can someone help me to specify the ikev2_decryption_file from Strongswan to decrypt this pcap?
Thanks
isakmp.ikev2_decryption_table
is a UAT.There is an example in the wireshark man page of how to add entries to a UAT.
You don't get to save a decrypted capture but you can save the decrypted data as PDUs.
tshark man page
3444: ipsec: refactor the decryption and dissection of ESP packets mentions a sample capture (Wiki: Example 2: Dissection of encrypted (and UDP-encapsulated) IKEv2 and ESP messages) for discussion.