Wireshark mailing list archives
Re: how can I see ESP packets
From: Sake Blok <sake () euronet nl>
Date: Wed, 28 Oct 2009 00:33:08 +0100
On Tue, Oct 27, 2009 at 02:16:16PM -0700, Dave Braucht wrote:
I am troubleshooting an IPSec VPN pass-through issue on a firewall. I am using wireshark 1.2.1. I want to be able to see the ESP packets. I don't care to decrypt them. I just want to see them in the capture. I see ISAKMP, but not my ESP. Is there a setting that I need to enable to allow me to see the ESP packet (protocol 50)?
Wireshark should show packets with IP protocol 50 as ESP. What I think might be the issue is that nat-traversal might be used between the vpn endpoints. This means the ESP traffic is encapsulated either in TCP or UDP. Do you see other traffic between the endpoints that exchange the ISAKMP traffic? If so, use "decode as" to dissect the traffic as ESP. You can do this by decoding the TCP or UDP port to TCPENCAP or UDPENCAP. For example, I recently decoded UDP port 49000 as UDPENCAP to make the ESP traffic of a remote access VPN connection visible. Hope this helps, Cheers, Sake ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- how can I see ESP packets Dave Braucht (Oct 27)
- Re: how can I see ESP packets Sake Blok (Oct 27)
- New to Wireshark world Reddy Nagendra-GKTC37 (Oct 29)
- Re: New to Wireshark world Jaap Keuter (Oct 29)
- Re: New to Wireshark world Reddy Nagendra-GKTC37 (Oct 29)
- New to Wireshark world Reddy Nagendra-GKTC37 (Oct 29)
- Re: how can I see ESP packets Sake Blok (Oct 27)