tcpdump -E decryption question

[Torsten Krah <tkrah () fachschaft imn htwk-leipzig de>]

Hi, theres no "user" list but i hope i can post here too.
Searching the archives i found this:

http://www.tcpdump.org/lists/workers/2003/09/msg00011.html

192.1.2.23 > 192.1.2.45: ESP(spi=0x12345678,seq=0x1): 192.0.2.1 > 192.0.1.1: 
icmp: echo request (DF) (ipip-proto-4)

This should be the output when tcpdump -E ... is used, however i did not have 
any success yet, decrypting those packets.

I am using 3des with hmac_md5, so the cipher specified is: 3des-cbc-hmac96, 
right?
The "spi" which must be given is the one shown in the esp packet 
above "0x12345678".
The "addr" - i hope here the local tunnel gateway should be addressed, or what 
must addr set to, don't know really wha have to assigned  here - lets use 
192.1.2.23.
Key is my tunnel psk in ascii format for example.

Are these "assumptions" correct or is something wrong already?

tcpdump -t -n -E "0x12345678@192.1.2.23 3des-cbc-hmac96:mysecretasciikey' -r 
pcapile

This should result in some output like mentioned above, however all i get is 
the "plain" esp output (like without -E option), nothing decrypted behind and 
no error message or something.
So i guess i am not correctly using this option.
Can anyone help me how to make use of the -E parameter?

thx

regards Torsten




-- 
Bitte senden Sie mir keine Word- oder PowerPoint-Anhänge.
Siehe http://www.gnu.org/philosophy/no-word-attachments.de.html

Really, I'm not out to destroy Microsoft. That will just be a 
completely unintentional side effect."
        -- Linus Torvalds

Attachment: smime.p7s
Description: