Ask Your Question

How to decrypt Ipsec protocol that have esp with command line

asked 2018-11-14 08:26:35 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Hello, I work with wireshark a lot and I need to decode a LOT of traces that have ESP. It takes a long time to manually enter in all the information necessary in the GUI to decode each different trace, so I am trying to figure out a way to pass the ESP decryption parameters as command line arguments to tshark or wireshark. Or even be able to edit a file like esp_sa.

Thanks, surya

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-11-15 22:04:38 +0000

MartinM gravatar image

updated 2018-11-15 23:53:11 +0000

cmaynard gravatar image

If you have messages in your traces that describe the SPI/keys, you could write a dissector for those messages and call esp_sa_record_add_from_dissector()(see

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-11-14 08:26:35 +0000

Seen: 563 times

Last updated: Nov 15 '18