Ethereal-users: Re: [Ethereal-users] Parsing protocols inside ESP packets?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Helen C. OBoyle" <hoboyle2003@xxxxxxxxx>
Date: Mon, 30 Aug 2004 13:55:21 -0700 (PDT)
Guy,
 
Thanks for the info.
 
Your point on my assuming why I have unencrypted packets in my Netmon capture files is quite valid.  I in fact have no idea why they are cleartext, as this is the first time I've had to capture and analyze IPSec traffic.  I just know what SMB looks like and know I see it inside the EPS data areas of a series of packets, both incoming and outgoing. ;-)  Yes, the packets were captured at one of the nodes that was participating in the transactions in question, so it could well be that the capture is just occurring at the "right" (from my point of view) place in the stack.  (If so, handy that.  I didn't expect it to get anything useful off the network at all.)
--
* Helen *

Guy Harris <gharris@xxxxxxxxx> wrote:
Helen C. OBoyle said:

> I have captured a bunch of ESP packets which contain SMB and other traffic
> via NetMon, which seems to have been nice enough to decrypt the packets
> for me, so that when I open the capture files in Ethereal, I see
> recognizable fields in the packets.

I assume you meant "when I open the capture files in NetMon".

They're not necessarily being decrypted by the NetMon application. Is the
ESP traffic traffic being sent by or received by the machine running
NetMon? If so, perhaps the networking stack or the NetMon driver for
capturing is supplying outgoing packets before they're encrypted and
supplying incoming packets after they're decrypted (i.e., the decrypting
of incoming packets is being done by the OS's IPSec code, and outgoing
packets are being "captured" before being *en*crypted so no decryption is
necessary).

If so, then Ethereal would need an option of some sort to specify whether
ESP packets contain encrypted or non-encrypted payload, and...

> Has someone already implemented this?

...if somebody's implemented it, they haven't send it in for inclusion in
Ethereal (nor has anybody contributed code to decrypt encrypted packets).


_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!