Re: isakmp packet on port 8500

[Evan Huus <eapache () gmail com>]

On Thu, May 8, 2014 at 7:16 PM, Perry Smith <pedzsan () gmail com> wrote:

> Hi,
>
> AIX sends its isakmp packet on port 8500 instead of 500.  Well... it sorta
> does both.
>
> In any case, if the packet is on port 500, wireshark marks the protocol as
> isakmp and decodes the payload.  If the packet is on port 8500, then the
> ethernet, IP, and UDP parts are decoded but not the isakmp part.  Is that
> because of the port number or is it because the packet is not really
> properly formatted?  I can't find a user config option that is set to 500.
>
> I found this:
>
> > # Set the port for IPSEC/ISAKMP messagesIf other than the default of
> 10000)
> > # A decimal number
> > # tcpencap.tcp.port: 10000
>
> but when I set that to 8500, it doesn't make a difference that I can see.
>
> I'm fighting two unknowns.  Are my isakmp packets bad and that is why
> wireshark is not formatting them or is it because they are on port 8500
> instead of 500?

Based on the code I'm guessing port number (it looks like ISAKMP is
hard-coded to 500) but you can find out by right-clicking on an undecoded
payload and using "Decode As..." to force the matter.

Evan


> Thank you,
> Perry Smith
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe