tcpdump question of ipsec / esp packets
Mike Tancsa
mike at sentex.net
Wed Mar 5 21:51:03 UTC 2014
Not sure if this is even possible in tcpdump, but I was hoping I would
be able to properly decode the protocol of the encapsulated packets in
an ipsec connection.
In my test network given 2 endpoints, I establish an ipsec tunnel using
3des for the encryption. (setkey -D output attached as a text file to
preserve formatting)
I then send 5 ping packets across the tunnel
ping -c 5 -s 500 -p aa 192.168.99.1
I capture the traffic (see tcpdump #1) and all looks as expected
using the output of setkey, and the command
tcpdump -s0 -nr ipsec.pcap -E "0x0d8f42b8 at 64.7.139.200
3des-cbc:0x1b80416e2267a721f9dbd835b0edbb3e5929bec673e39c5a,0x013ecf38 at 64.7.134.1
3des-cbc:0x2b4fd47185d56bef50bf3796ce07b5376317336e9b66550a"
I get what seems to be an incorrect result (see tcpdump #2) as the
decoded protocol is messed up.
But, if I add -x to the args, looking at the payload, it does indeed
seem to decode the packets correctly (see tcpdump #3) as I see the ping
pattern.
tcpdump -s0 -nr ipsec.pcap -E "0x0d8f42b8 at 64.7.139.200
3des-cbc:0x1b80416e2267a721f9dbd835b0edbb3e5929bec673e39c5a,0x013ecf38 at 64.7.134.1
3des-cbc:0x2b4fd47185d56bef50bf3796ce07b5376317336e9b66550a" -x
Am I doing something wrong, or is tcpdump just not capable to decoding
the decrypted packet's protocol ?
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
-------------- next part --------------
64.7.139.200 64.7.134.1
esp mode=tunnel spi=20893496(0x013ecf38) reqid=16385(0x00004001)
E: 3des-cbc 2b4fd471 85d56bef 50bf3796 ce07b537 6317336e 9b66550a
A: hmac-sha1 696dce8a 6b837e69 e16e9591 638f6860 480d4725
seq=0x00000026 replay=4 flags=0x00000000 state=mature
created: Mar 5 21:13:51 2014 current: Mar 5 21:14:40 2014
diff: 49(s) hard: 28800(s) soft: 23040(s)
last: Mar 5 21:14:29 2014 hard: 0(s) soft: 0(s)
current: 5168(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 38 hard: 0 soft: 0
sadb_seq=2 pid=25112 refcnt=2
64.7.134.1 64.7.139.200
esp mode=tunnel spi=227492536(0x0d8f42b8) reqid=16386(0x00004002)
E: 3des-cbc 1b80416e 2267a721 f9dbd835 b0edbb3e 5929bec6 73e39c5a
A: hmac-sha1 79dc70b0 baef9cf4 bd89a02c c8026984 c652730b
seq=0x00000026 replay=4 flags=0x00000000 state=mature
created: Mar 5 21:13:51 2014 current: Mar 5 21:14:40 2014
diff: 49(s) hard: 28800(s) soft: 23040(s)
last: Mar 5 21:14:29 2014 hard: 0(s) soft: 0(s)
current: 3952(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 38 hard: 0 soft: 0
sadb_seq=1 pid=25112 refcnt=1
64.7.134.1 64.7.139.200
esp mode=tunnel spi=122839746(0x075262c2) reqid=16386(0x00004002)
E: 3des-cbc 1fafa222 097a66ad dde4d2e4 283e12bf f7f3200a b77bcebf
A: hmac-sha1 2f0322fc 23882565 6e7a2430 bae3e959 fe64797d
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Mar 5 21:10:03 2014 current: Mar 5 21:14:40 2014
diff: 277(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=25112 refcnt=1
#tcpdump #1
21:15:23.143805 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x27), length 564
21:15:23.143941 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x27), length 564
21:15:24.143168 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x28), length 564
21:15:24.143292 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x28), length 564
21:15:25.143934 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x29), length 564
21:15:25.144054 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x29), length 564
21:15:26.145602 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x2a), length 564
21:15:26.145718 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x2a), length 564
21:15:27.146664 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x2b), length 564
21:15:27.146791 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x2b), length 564
#tcpdump #2
tcpdump -s0 -nr ipsec.pcap -E "0x0d8f42b8 at 64.7.139.200 3des-cbc:0x1b80416e2267a721f9dbd835b0edbb3e5929bec673e39c5a,0x013ecf38 at 64.7.134.1 3des-cbc:0x2b4fd47185d56bef50bf3796ce07b5376317336e9b66550a"
reading from file ipsec.pcap, link-type EN10MB (Ethernet)
capability mode sandbox enabled
21:15:23.143805 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x27), length 564: ip-proto-243 413
21:15:23.143941 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x27), length 564: ip-proto-153 544
21:15:24.143168 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x28), length 564: ip-proto-246 470
21:15:24.143292 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x28), length 564: ip-proto-172 404
21:15:25.143934 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x29), length 564: ip-proto-213 413
21:15:25.144054 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x29), length 564: ip-proto-83 431
21:15:26.145602 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x2a), length 564: ip-proto-98 498
21:15:26.145718 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x2a), length 564: ip-proto-18 353
21:15:27.146664 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x2b), length 564: ip-proto-80 391
21:15:27.146791 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x2b), length 564: ip-proto-111 335
#tcpdump #3
tcpdump -s0 -nr ipsec.pcap -E "0x0d8f42b8 at 64.7.139.200 3des-cbc:0x1b80416e2267a721f9dbd835b0edbb3e5929bec673e39c5a,0x013ecf38 at 64.7.134.1 3des-cbc:0x2b4fd47185d56bef50bf3796ce07b5376317336e9b66550a" -x | less
reading from file ipsec.pcap, link-type EN10MB (Ethernet)
capability mode sandbox enabled
21:15:23.143805 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x27), length 564: ip-proto-243 413
0x0000: 4500 0248 f11c 0000 3e32 f78f 4007 8601
0x0010: 4007 8bc8 0d8f 42b8 0000 0027 6cd5 c503
0x0020: 8302 f347 4500 0210 d108 0000 3f01 c45f
0x0030: c0a8 0033 c0a8 6301 0800 eb00 04c0 0000
0x0040: 5317 93ea 0002 213b aaaa aaaa aaaa aaaa
0x0050: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0060: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0070: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0080: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0090: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x00a0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x00b0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x00c0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x00d0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x00e0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x00f0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0100: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0110: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0120: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0130: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0140: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0150: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0160: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0170: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0180: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0190: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x01a0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x01b0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x01c0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x01d0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x01e0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x01f0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0200: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0210: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0220: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0230: aaaa aaaa 0102 0304 0506 0604 dde6 fdf1
0x0240: 3c29 78e8 3506 85f3
21:15:23.143941 IP 64.7.139.200 > 64.7.134.1: ESP(spi=0x013ecf38,seq=0x27), length 564: ip-proto-153 544
0x0000: 4500 0248 2eda 0000 4032 b7d2 4007 8bc8
0x0010: 4007 8601 013e cf38 0000 0027 6666 5071
0x0020: 9e11 c711 4500 0210 2ed9 0000 4001 658f
0x0030: c0a8 6301 c0a8 0033 0000 f300 04c0 0000
0x0040: 5317 93ea 0002 213b aaaa aaaa aaaa aaaa
0x0050: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0060: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0070: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0080: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0090: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x00a0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x00b0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x00c0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x00d0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x00e0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x00f0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0100: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0110: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0120: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0130: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0140: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0150: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0160: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0170: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0180: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0190: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x01a0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x01b0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x01c0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x01d0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x01e0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x01f0: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0200: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0210: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0220: aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa
0x0230: aaaa aaaa 0102 0304 0506 0604 4e5b 5adb
0x0240: e3d2 ac39 7e6f 0299
More information about the freebsd-questions
mailing list