Wireshark-users: [Wireshark-users] OpenBSD enc0 capture from tcpdump failes to decode

From: Brad Guillory <brad@xxxxxxxxx>
Date: Mon, 21 Sep 2009 21:38:23 -0600
I am trying to do some debugging on our VPN. We have a hub and spoke topology so it should be simple. Unfortunately my favorite protocol analyzer doesn't decode the packets.

On the hub (OpenBSD 4.3) I capture packets from enc0 using tcpdump (I don't know the version but according to the output file it is 2.4). tcpdump can decode the packets without trouble, but tshark (on my Mac) fails to decode. I have included the following:

- hexdump of capture file
- tcpdump decode of capture file
- tshark decode of capture file
- output from tshark -v

I will also try to attach my pcap file; but I don't know if the mailing list allows for attachments.

I am willing to try to write a decoder if that is what it takes; but I hope that there is an easier solution.

Thanks, BMG

# hexdump /tmp/esp2-cut.pcap
0000000 c3d4 a1b2 0002 0004 0000 0000 0000 0000
0000010 07d0 0000 000d 0000 b196 4ab5 8b1e 000d
0000020 016c 0000 016c 0000 0002 0000 3525 d7b0
0000030 0c00 0000 0045 6001 1eaf 0000 0436 85e5
0000040 46a6 49ad ac62 ba38 0045 4c01 d332 0040
0000050 063f 3f7e a8c0 4609 a8c0 02ff 0c17 19ce
0000060 0128 25df 9d58 74ef 1880 8481 478d 0000
0000070 0101 0a08 7a11 c858 710d 3805 0000 0100
0000080 c802 0000 2000 1800 0000 f303 0000 2d00
0000090 0f00 0019 0a00 6c65 8036 4a0f 875f 2c4d
00000a0 5825 02e3 59e7 1031 6024 a00b 107c 5810
00000b0 7817 b80b a07e fa7e 965d e371 0068 0000
00000c0 0001 0000 0300 008d 0008 0300 00f3 0000
00000d0 0138 130e 0000 0000 0000 0000 aa00 aaaa
00000e0 aaaa aaaa aaaa aaaa aaaa 8587 294f 40c3
00000f0 c25b 4299 6f26 9c14 3281 2494 c000 506a
0000100 0000 0000 0d00 ceae 0060 0000 0201 00c8
0000110 0000 0020 0018 0300 00f3 0000 002b 190f
0000120 0000 650a 366c 0f80 5f4a 0d97 2da8 6817
0000130 ee4d 12c8 0538 3ed0 0808 0b3c 05c8 3fdc
0000140 3f50 2e7d 38cb b4f1 0000 0100 0000 0000
0000150 8d03 0800 0000 f303 0000 3800 0e01 0013
0000160 0000 0000 0000 0000 aaaa aaaa aaaa aaaa
0000170 aaaa aaaa 87aa 8f81 c33b 896c 932a 93a4
0000180 91bb c536 9432 0324 3560 0028 0000 0000
0000190 d706 3067
0000194

# tcpdump -r /tmp/esp2-cut.pcap -X
tcpdump: WARNING: snaplen raised from 96 to 2000
23:37:42.887582 (authentic,confidential): SPI 0x2535b0d7: 192.168.9.70.5900 > 192.168.255.2.52761: P 671211301:671211581(280) ack 1486745460 win 33156 <nop,nop,timestamp 293230792 225510712> (DF) (encap)
  0000: 4500 0160 af1e 0000 3604 e585 a646 ad49  E..`¯...6.å.¦F I
  0010: 62ac 38ba 4500 014c 32d3 4000 3f06 7e3f  b¬8ºE..L2Ó@.?.~?
  0020: c0a8 0946 c0a8 ff02 170c ce19 2801 df25  À¨.FÀ¨ÿ...Î.(.ß%
  0030: 589d ef74 8018 8184 8d47 0000 0101 080a  X.ït.....G......
  0040: 117a 58c8 0d71 0538 0000 0001 02c8 0000  .zXÈ.q.8.....È..
  0050: 0020 0018 0000 03f3 0000 002d 000f 1900  . .....ó...-....
  0060: 000a 656c 3680 0f4a 5f87 4d2c 2558 e302  ..el6..J_.M,%Xã.
  0070: e759 3110 2460 0ba0 7c10 1058 1778 0bb8  çY1.$`. |..X.x.¸
  0080: 7ea0 7efa 5d96 71e3 6800 0000 0100 0000  ~ ~ú].qãh.......
  0090: 0003 8d00 0800 0003 f300 0000 3801 0e13  ........ó...8...
  00a0: 0000 0000 0000 0000 00aa aaaa aaaa aaaa  .........ªªªªªªª
  00b0: aaaa aaaa aaaa 8785 4f29 c340 5bc2 9942  ªªªªªª..O)Ã@[Â.B
  00c0: 266f 149c 8132 9424 00c0 6a50 0000 0000  &o...2.$.ÀjP....
  00d0: 000d aece 6000 0000 0102 c800 0000 2000  ..®Î`.....È... .
  00e0: 1800 0003 f300 0000 2b00 0f19 0000 0a65  ....ó...+......e
  00f0: 6c36 800f 4a5f 970d a82d 1768 4dee c812  l6..J_..¨-.hMîÈ.
  0100: 3805 d03e 0808 3c0b c805 dc3f 503f 7d2e  8.Ð>..<.È.Ü?P?}.
  0110: cb38 f1b4 0000 0001 0000 0000 038d 0008  Ë8ñ´............
  0120: 0000 03f3 0000 0038 010e 1300 0000 0000  ...ó...8........
  0130: 0000 0000 aaaa aaaa aaaa aaaa aaaa aaaa  ....ªªªªªªªªªªªª
  0140: aa87 818f 3bc3 6c89 2a93 a493 bb91 36c5  ª...;Ãl.*.¤.».6Å
  0150: 3294 2403 6035 2800 0000 0000 06d7 6730  2.$.`5(......×g0

# tshark -r ~/Desktop/esp2-cut.pcap -x

  1   0.000000              ->              UNKNOWN WTAP_ENCAP = 0

0000  02 00 00 00 25 35 b0 d7 00 0c 00 00 45 00 01 60   ....%5......E..`
0010  af 1e 00 00 36 04 e5 85 a6 46 ad 49 62 ac 38 ba   ....6....F.Ib.8.
0020  45 00 01 4c 32 d3 40 00 3f 06 7e 3f c0 a8 09 46   E..L2.@.?.~?...F
0030  c0 a8 ff 02 17 0c ce 19 28 01 df 25 58 9d ef 74   ........(..%X..t
0040  80 18 81 84 8d 47 00 00 01 01 08 0a 11 7a 58 c8   .....G.......zX.
0050  0d 71 05 38 00 00 00 01 02 c8 00 00 00 20 00 18   .q.8......... ..
0060  00 00 03 f3 00 00 00 2d 00 0f 19 00 00 0a 65 6c   .......-......el
0070  36 80 0f 4a 5f 87 4d 2c 25 58 e3 02 e7 59 31 10   6..J_.M,%X...Y1.
0080  24 60 0b a0 7c 10 10 58 17 78 0b b8 7e a0 7e fa   $`..|..X.x..~.~.
0090  5d 96 71 e3 68 00 00 00 01 00 00 00 00 03 8d 00   ].q.h...........
00a0  08 00 00 03 f3 00 00 00 38 01 0e 13 00 00 00 00   ........8.......
00b0  00 00 00 00 00 aa aa aa aa aa aa aa aa aa aa aa   ................
00c0  aa aa 87 85 4f 29 c3 40 5b c2 99 42 26 6f 14 9c   ....O).@[..B&o..
00d0  81 32 94 24 00 c0 6a 50 00 00 00 00 00 0d ae ce   .2.$..jP........
00e0  60 00 00 00 01 02 c8 00 00 00 20 00 18 00 00 03   `......... .....
00f0  f3 00 00 00 2b 00 0f 19 00 00 0a 65 6c 36 80 0f   ....+......el6..
0100  4a 5f 97 0d a8 2d 17 68 4d ee c8 12 38 05 d0 3e   J_...-.hM...8..>
0110  08 08 3c 0b c8 05 dc 3f 50 3f 7d 2e cb 38 f1 b4   ..<....?P?}..8..
0120  00 00 00 01 00 00 00 00 03 8d 00 08 00 00 03 f3   ................
0130  00 00 00 38 01 0e 13 00 00 00 00 00 00 00 00 00   ...8............
0140  aa aa aa aa aa aa aa aa aa aa aa aa aa 87 81 8f   ................
0150  3b c3 6c 89 2a 93 a4 93 bb 91 36 c5 32 94 24 03   ;.l.*.....6.2.$.
0160  60 35 28 00 00 00 00 00 06 d7 67 30               `5(.......g0

# tshark -v

TShark 1.2.2 (SVN Rev 29910)

Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.16.3, with libpcap 0.9.5, with libz 1.2.3, without POSIX capabilities, with libpcre 7.8, with SMI 0.4.8, with c-ares 1.5.3, with Lua 5.1,
with GnuTLS 2.6.2, with Gcrypt 1.4.3, with MIT Kerberos, without GeoIP.

Running on Darwin 9.8.0 (MacOS 10.5.8), with libpcap version 0.9.5, GnuTLS
2.6.2, Gcrypt 1.4.3.

Built using gcc 4.0.1 (Apple Inc. build 5488).


#####

Note: I tried a development version also but it pukes even worse:

  1   0.000000              ->              UNKNOWN WTAP_ENCAP = 0
**
** ERROR:(print.c:790):print_hex_data: assertion failed: (edt- >pi.data_src)
Abort trap

--

TShark 1.3.0 (SVN Rev 29912 from /trunk)

Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.16.3, with libpcap 0.9.5, with libz 1.2.3, without POSIX capabilities, with libpcre 7.8, with SMI 0.4.8, with c-ares 1.5.3, with Lua 5.1, without Python, with GnuTLS 2.6.2, with Gcrypt 1.4.3, with MIT Kerberos, without
GeoIP.

Running on Darwin 9.8.0 (MacOS 10.5.8), with libpcap version 0.9.5, GnuTLS
2.6.2, Gcrypt 1.4.3.

Built using gcc 4.0.1 (Apple Inc. build 5488).

Attachment: esp2-cut.pcap
Description: Binary data