How to decrypt ISAKMP / IKEv2 traffic by using tshark?
Hi all,
I want to decrypt a .pcap which has an IPsec communication establishment (with IKE_AUTH and INFORMATIONAL fragment encrypted) and save the result in a .pcap file with all these packets decrypted. I'm using Strongswan so I have the ikev2_decryption_table file and with Wireshark I'm able to decrypt this pcap but I would want to do that using tshark or editcap or any other useful tool.
I saw that tshark allow preferences to specify some things like in wireshark GUI but it does not work for me.
I tried to run something like:
tshark -r original_pcap.pcap -o isakmp.ikev2_decryption_table:ike_decryption_table_from_strongswan -w test.pcap
but the IKEv2 packets are not decrypting at all.
Can someone help me to specify the ikev2_decryption_file from Strongswan to decrypt this pcap?
Thanks
isakmp.ikev2_decryption_tableis a UAT.There is an example in the wireshark man page of how to add entries to a UAT.
You don't get to save a decrypted capture but you can save the decrypted data as PDUs.
tshark man page
C:\>tshark -U "" tshark: The available export tap names and the encapsulation types they produce for the "-U tap_name" option are: DLT User - Wireshark Upper PDU export DVB-CI - Wireshark Upper PDU export Ethernet - Ethernet IP - Raw IP Logcat - Wireshark Upper PDU export Logcat Text - Wireshark Upper PDU export OSI layer 3 - Wireshark Upper PDU export OSI layer 4 - Wireshark Upper PDU export OSI layer 7 - Wireshark Upper PDU export3444: ipsec: refactor the decryption and dissection of ESP packets mentions a sample capture (Wiki: Example 2: Dissection of encrypted (and UDP-encapsulated) IKEv2 and ESP messages) for discussion.