Wireshark-bugs: [Wireshark-bugs] [Bug 8925] New: Can't edit esp_sa file to decrypt ESP packets

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Thu, 11 Jul 2013 17:32:30 +0000
Bug ID 8925
Summary Can't edit esp_sa file to decrypt ESP packets
Classification Unclassified
Product Wireshark
Version 1.10.0
Hardware x86-64
OS Windows 7
Status UNCONFIRMED
Severity Normal
Priority Low
Component TShark
Assignee [email protected]
Reporter [email protected] 

Build Information:
1.10.0 SVN Rev 46790 from /trunk-1.10
--
I decrypt a lot of ESP packets each with a different set of keys.  It takes a
long time to go through the GUI and enter in the IP addresses, SPI, encryption
keys, and authentication keys for each one.  So I'm trying to find a way to
automate adding those via scripts, but I haven't been able to find any way to
add them except through the GUI.  I tried editing the esp_sa file in
appdata/wireshark/ even though it says DO NOT MODIFY, but that didn't work.  I
figured I could just append the needed lines to that file.  I also tried a
tshark variation thinking I could use the CLI to decrypt the packets and save
them again decrypted, which would really be the best scenario for me since then
I could share the captures without needing to send the keys.  As a rough start
I'm trying this:

 #!/bin/bash

 FILTER='esp'
 INFILE="$1"

 SRCIP1=163.158.22.91
 DESIP1=192.171.5.130
 SPI1="0x003cb4a5"
 AK1="0x14eb37837d23363cb8190d90bca07ad804437f12"
 EK1="0x06ad1f96221ea9d023a5db61155e8e1dbf8068e682efbfda"

 tshark -R "$FILTER" -2 -r ${INFILE} \
 -o esp.enable_null_encryption_decode_heuristic:true \
 -o esp.enable_authentication_check:true \
 -o esp.enable_encryption_decode:true \
 -o esp.sa_1:IPV4\|${SRCIP1}\|${DESIP1}\|${SPI1} \
 -o esp.encryption_algorithm_1:AES-CBC \
 -o esp.authentication_algorithm_1:HMAC-SHA1 \
 -o esp.encryption_key_1:${EK1} \
 -o esp.authentication_key_1:${AK1}

But it complains here:
tshark: -o flag "esp.sa_1:IPV4|163.158.22.91|192.171.5.130|0x003cb4a5"
specifies unknown preference

Has wireshark done away with being able to specify esp sa's like this?

Thanks for any help on this issue.

-Jon

You are receiving this mail because:
  • You are watching all bug changes.