Wireshark-dev: Re: [Wireshark-dev] decoding thru unencrypted VPN tunnel

From: Joerg Mayer <jmayer@xxxxxxxxx>
Date: Fri, 16 Mar 2007 14:34:43 +0100
On Fri, Mar 16, 2007 at 06:00:56AM -0700, Bill Fassler wrote:
> Ah, yes. I already have that documentation and the problem is I don't see how those 5 bytes relate to the document description. Like I said, the 5th byte is apparently a sequence number and increments by one each packet.  The first byte is always 0x30... etc... now if you can look at the 5 bytes I am seeing and help me map them to the protocol description then I would be very grateful, but I fail to see the correlation... 
> 
> Now you see my biggest problem. I am having trouble mapping what I see to the protocol description.

Well, from the ascii dump you sent and your comments I assume the
following:

The packet was sent via udp, that means the "Packet length" element is
not present (tcp only). Then we have the one byte
"Packet opcode/key_id", 0x30 = 00110 000 in binary. If we only look at
the high five bits (opcode), this is 6 aka P_DATA_V1. The next 4 bytes
(00 00 00 18) are "packet_id" in the 4-byte version.

So if you could send a complete trace (setup + some data) it shouldn't
be too hard to write a dissector for this. More sample traces (e.g. with
tcp encapsulation, encryption including the key) would allow even more.

Ciao
    Joerg
-- 
Joerg Mayer                                           <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.