tcpdump mailing list archives
tcpdump -E decryption question
From: Torsten Krah <tkrah () fachschaft imn htwk-leipzig de>
Date: Tue, 1 Jul 2008 16:15:57 +0200
Hi, theres no "user" list but i hope i can post here too. Searching the archives i found this: http://www.tcpdump.org/lists/workers/2003/09/msg00011.html 192.1.2.23 > 192.1.2.45: ESP(spi=0x12345678,seq=0x1): 192.0.2.1 > 192.0.1.1: icmp: echo request (DF) (ipip-proto-4) This should be the output when tcpdump -E ... is used, however i did not have any success yet, decrypting those packets. I am using 3des with hmac_md5, so the cipher specified is: 3des-cbc-hmac96, right? The "spi" which must be given is the one shown in the esp packet above "0x12345678". The "addr" - i hope here the local tunnel gateway should be addressed, or what must addr set to, don't know really wha have to assigned here - lets use 192.1.2.23. Key is my tunnel psk in ascii format for example. Are these "assumptions" correct or is something wrong already? tcpdump -t -n -E "0x12345678@192.1.2.23 3des-cbc-hmac96:mysecretasciikey' -r pcapile This should result in some output like mentioned above, however all i get is the "plain" esp output (like without -E option), nothing decrypted behind and no error message or something. So i guess i am not correctly using this option. Can anyone help me how to make use of the -E parameter? thx regards Torsten -- Bitte senden Sie mir keine Word- oder PowerPoint-Anhänge. Siehe http://www.gnu.org/philosophy/no-word-attachments.de.html Really, I'm not out to destroy Microsoft. That will just be a completely unintentional side effect." -- Linus Torvalds
Attachment:
smime.p7s
Description:
Current thread:
- tcpdump -E decryption question Torsten Krah (Jul 01)