Wireshark-users: [Wireshark-users] Tshark fails with ESP decoding

From: Rene Mayrhofer <rene.mayrhofer@xxxxxxxxxxxx>
Date: Mon, 20 Jul 2009 19:57:46 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

[Please CC me in replies, I am not currently subscribed to this list.]

I am currently trying to decode ESP packets with tshark, passing the
current key material on the command line. My tshark version is the one
from Debian Lenny:

[root@gibraltar-500 ~]# tshark -v
TShark 1.0.2

Copyright 1998-2008 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.16.6, with libpcap 1.0.0, with libz 1.2.3.3, with POSIX
capabilities (Linux), with libpcre 7.6, without SMI, with ADNS, with Lua
5.1,
with GnuTLS 2.4.2, with Gcrypt 1.4.1, with MIT Kerberos.

Running on Linux 2.6.28.10, with libpcap version 1.0.0.

Built using gcc 4.3.2.

The command line looks roughly like this:

tshark -n -i ext1 -p esp or ah or (udp and (port 500 or port 4500)) -o
esp.enable_null_encryption_decode_heuristic:true -o
esp.enable_authentication_check:true -o
esp.enable_encryption_decode:true -o esp.sa_1:ipv4|*|*|0x866295c6 -o
esp.encryption_algorithm_1:AES-CBC -o
esp.authentication_algorithm_1:HMAC-SHA1 -o
esp.encryption_key_1:0x................ -o
esp.authentication_key_1:0x.......... -o esp.sa_2:ipv4|*|*|0xa1339dfd -o
esp.encryption_algorithm_2:AES-CBC -o
esp.authentication_algorithm_2:HMAC-SHA1  ...

with all keys taken from the output of "ip xfrm state" and a total of 12
SA definitions (keyed by strongswan).

However, the algorithms do not seem to be correctly set:

<ESP Preferences> Error in Encryption Algorithm 3DES-CBC : Bad Keylen
(got 128 Bits, need 192)
  0.000000 85.127.167.82 -> 80.120.3.125 ESP ESP (SPI=0x866295bf)

<ESP Preferences> Error in Encryption Algorithm 3DES-CBC : Bad Keylen
(got 128 Bits, need 192)
  0.085897 80.120.3.125 -> 85.127.167.82 ESP ESP (SPI=0xbc23ad88)

etc. Does anybody have an idea what I am doing wrong here?

PS: As soon as this problem is solved, I will be able to publish a
little Python script to read the required key material and execute
tshark appropriately, in a vague approximation of the KLIPS-style
debugging using ipsecX interfaces.

Any hints appreciated,
Rene
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpksBoACgkQq7SPDcPCS97/GQCfSykmXOtkuxEo7KCtOHU/aTJO
PdoAoO0MyU7e0C/eMqFIwZYRIFKN28Gj
=2PH2
-----END PGP SIGNATURE-----