Wireshark · Wireshark-dev: [Wireshark-dev] wireshark too strict in ESP deciphering or something else goes on ?

Wireshark-dev: [Wireshark-dev] wireshark too strict in ESP deciphering or something else goes o

From: Ariel Burbaickij <ariel.burbaickij@xxxxxxxxx>

Date: Fri, 30 May 2025 12:52:30 +0200

sent previously to community.mailimg lost but no response there, so resending it here.

Hello mailing list,

I set up ESP deciphering/decoding preferences with following relevant parameters in wireshark 4.4.6:

-- attempt to check ESP Authentication -- off

-- attempt to detect/decode NULL encrypted ESP payload -- off

then I entered ESP SAs with relevant IPs, SPIs and deciphering key, leaving the authentication algorithm at NULL and wireshark did not decipher ESP payload.

I set authentication algorithm to HMAC-SHA1-96 (RFC 2404) then, without authentication key and wireshark did decipher as expected.

Question: why wireshark cares so much about authentication algorithm in this scenario, shouldn't it just decipher with all the information for it available or what goes on here as in "potential bug" ?

Kind Regards

Ariel Burbaickij

Follow-Ups:
- [Wireshark-dev] Re: wireshark too strict in ESP deciphering or something else goes on ?
  - From: Guy Harris
- [Wireshark-dev] Re: wireshark too strict in ESP deciphering or something else goes on ?
  - From: John Thacker

Prev by Date: [Wireshark-dev] Re: Feature Request: Process-Aware Packet Filtering and Captur
Next by Date: [Wireshark-dev] Re: wireshark too strict in ESP deciphering or something else goes on ?
Previous by thread: [Wireshark-dev] Re: Feature Request: Process-Aware Packet Filtering and Captur
Next by thread: [Wireshark-dev] Re: wireshark too strict in ESP deciphering or something else goes on ?
Index(es):
- Date
- Thread