How to decrypt Ipsec protocol that have esp with command line

asked 2018-11-14 08:26:35 +0000

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Hello, I work with wireshark a lot and I need to decode a LOT of traces that have ESP. It takes a long time to manually enter in all the information necessary in the GUI to decode each different trace, so I am trying to figure out a way to pass the ESP decryption parameters as command line arguments to tshark or wireshark. Or even be able to edit a file like esp_sa.

Thanks, surya

edit retag flag offensive close merge delete

add a comment

1 Answer

Sort by » oldest newest most voted

answered 2018-11-15 22:04:38 +0000

MartinM
197 ●11 ●10

updated 2018-11-15 23:53:11 +0000

cmaynard

11115 ●11 ●317 ●165 https://www.igt.com/

If you have messages in your traces that describe the SPI/keys, you could write a dissector for those messages and call esp_sa_record_add_from_dissector()(see https://code.wireshark.org/review/git...).

edit flag offensive delete link

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-11-14 08:26:35 +0000

Seen: 546 times

Last updated: Nov 15 '18

How to decrypt Ipsec protocol that have esp with command line edit

1 Answer