Ethereal-users: [Ethereal-users] ISAKMP Packets incorrectly decoded

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Brian Buesker <bbuesker@xxxxxxxxxxxx>
Date: Tue, 04 Nov 2003 12:57:10 -0800
In doing some testing of IKE daemons for Linux, I have run into the following problem. Occassionally, ethereal and tethereal will incorrectly decode an ISAKMP packet (Identity Protection Mode, Quick Mode, or Aggressive Mode). The protocol is correct. However, the information field says "UDP Encapsulated IPSec - NAT Keepalive". tcpdump does decode these packets correctly though.
The problem seems to occur more frequently when there are many ISAKMP packets being exchanged. When it does occur, it usually occurs for an entire phase 1 and phase 2 exchange for those source and destinatoin addresses. Sometimes it will occur on subsequent exchanges.
I have attached a packet capture in which this problem occurs. The first six packets are Identity Protection Mode packets, and the last 6 are Quick Mode packets. These packets came from a larger capture of many more packets, some of which were decoded correctly and some of which were not. I can provide this capture if desired. 

Ethereal version: 0.9.16
tcpdump and libpcap version: 0.7.2

Is there any way to work around this problem? Thanks.

Brian Buesker

Attachment: isakmpd-udp.pcap
Description: Binary data