Tested versions: 4.0.17, 4.4.8
I was doing some ESP traffic analysis when I discovered at least following bug in wireshark and also a documentation issue.
I am decrypting IKEv2 ESP traffic:
- SPI must be provided as unsigned long or as
*, because there is a bug in get_esp_sa, which requires that SPI contains a*or it won't be treated as string. Maybe this check should be 'x' instead? - Encryption key must be in 0x format. This is not really mentioned anywhere.
For the SPI issue, this could fix it:
diff -urN a/epan/dissectors/packet-ipsec.c b/epan/dissectors/packet-ipsec.c
--- a/epan/dissectors/packet-ipsec.c 2025-08-04 08:49:08.051429961 +0000
+++ b/epan/dissectors/packet-ipsec.c 2025-08-04 08:49:43.277147173 +0000
@@ -1088,8 +1088,8 @@
if((filter_len == 1) && (filter[0] == IPSEC_SA_WILDCARDS_ANY))
return true;
- /* If the filter has a wildcard, treat SPI as a string */
- if (strchr(filter, IPSEC_SA_WILDCARDS_ANY) != NULL) {
+ /* If the filter has an x, treat SPI as a string */
+ if (strchr(filter, 'x') != NULL) {
char spi_string[IPSEC_SPI_LEN_MAX];
snprintf(spi_string, IPSEC_SPI_LEN_MAX,"0x%08x", spi);