How to decrypt ISAKMP / IKEv2 traffic by using tshark?

asked 2025-05-07 18:19:00 +0000

avion gravatar image

updated 2025-05-07 18:31:06 +0000

grahamb gravatar image

Hi all,

I want to decrypt a .pcap which has an IPsec communication establishment (with IKE_AUTH and INFORMATIONAL fragment encrypted) and save the result in a .pcap file with all these packets decrypted. I'm using Strongswan so I have the ikev2_decryption_table file and with Wireshark I'm able to decrypt this pcap but I would want to do that using tshark or editcap or any other useful tool.

I saw that tshark allow preferences to specify some things like in wireshark GUI but it does not work for me.

I tried to run something like:

tshark -r original_pcap.pcap -o isakmp.ikev2_decryption_table:ike_decryption_table_from_strongswan -w test.pcap

but the IKEv2 packets are not decrypting at all.

Can someone help me to specify the ikev2_decryption_file from Strongswan to decrypt this pcap?

Thanks

edit retag flag offensive close merge delete

Comments

isakmp.ikev2_decryption_table is a UAT.
There is an example in the wireshark man page of how to add entries to a UAT.

-o "uat:user_dlts:\"User 0 (DLT=147)\",\"cops\",\"0\",\"\",\"0\",\"\""

You don't get to save a decrypted capture but you can save the decrypted data as PDUs.

tshark man page

C:\>tshark -U ""
tshark: The available export tap names and the encapsulation types they produce for the "-U tap_name" option are:
    DLT User - Wireshark Upper PDU export
    DVB-CI - Wireshark Upper PDU export
    Ethernet - Ethernet
    IP - Raw IP
    Logcat - Wireshark Upper PDU export
    Logcat Text - Wireshark Upper PDU export
    OSI layer 3 - Wireshark Upper PDU export
    OSI layer 4 - Wireshark Upper PDU export
    OSI layer 7 - Wireshark Upper PDU export
Chuckc gravatar imageChuckc ( 2025-05-08 02:14:21 +0000 )edit