Wireshark-bugs: [Wireshark-bugs] [Bug 3745] Support of non-96-bit ICVs for IPsec ESP

Date: Thu, 16 Jul 2009 01:44:07 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3745





--- Comment #1 from David Dahlberg <dahlberg@xxxxxxx>  2009-07-16 01:44:05 PDT ---
Created an attachment (id=3352)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3352)
Packet capture of ESP using HMAC-SHA-256-128

This is a packet capture of an IPsec session, using ESP NULL encryption and
HMAC-SHA-256-128 authentication (128 bit ICV).

With the stock version of Wireshark you won't be able to decode it, even if
NULL encryption is used. With my patch applied you are able do decode it (using
the "ANY 128-bit authentication" method or you may even check the signatures
using the following settings (as in .wireshark/preferences):

esp.sa_15: IPv4|10.8.200.22|10.8.21.11|0x025a5b95
esp.encryption_algorithm_15: NULL
esp.authentication_algorithm_15: HMAC-SHA-256-128 [RFC4868]
esp.authentication_key_15:
0x16472516a61786caf21bc0403cb7179eb7d4cfc14d5722db1970a4126d38d93d

esp.sa_16: IPv4|10.8.21.11|10.8.200.22|0x07304721
esp.encryption_algorithm_16: NULL
esp.authentication_algorithm_16: HMAC-SHA-256-128 [RFC4868]
esp.authentication_key_16:
x077d00dab1313ace6979cf4002fecaba5ec44a9979f123d56908366f40f7bdb2


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.