Wireshark-users: Re: [Wireshark-users] isakmp packet on port 8500

From: Perry Smith <pedzsan@xxxxxxxxx>
Date: Thu, 8 May 2014 18:31:04 -0500
On May 8, 2014, at 6:25 PM, Evan Huus <eapache@xxxxxxxxx> wrote:

> On Thu, May 8, 2014 at 7:16 PM, Perry Smith <pedzsan@xxxxxxxxx> wrote:
> Hi,
> 
> AIX sends its isakmp packet on port 8500 instead of 500.  Well... it sorta does both.
> 
> In any case, if the packet is on port 500, wireshark marks the protocol as isakmp and decodes the payload.  If the packet is on port 8500, then the ethernet, IP, and UDP parts are decoded but not the isakmp part.  Is that because of the port number or is it because the packet is not really properly formatted?  I can't find a user config option that is set to 500.
> 
> I found this:
> 
> > # Set the port for IPSEC/ISAKMP messagesIf other than the default of 10000)
> > # A decimal number
> > # tcpencap.tcp.port: 10000
> 
> but when I set that to 8500, it doesn't make a difference that I can see.
> 
> I'm fighting two unknowns.  Are my isakmp packets bad and that is why wireshark is not formatting them or is it because they are on port 8500 instead of 500?
>  
> Based on the code I'm guessing port number (it looks like ISAKMP is hard-coded to 500) but you can find out by right-clicking on an undecoded payload and using "Decode As..." to force the matter.

Excellent.  That was the hint I needed.  (I'm somewhat novice at wireshark)

Thank you very much
Perry

> 
> Evan
>  
> Thank you,
> Perry Smith
> 
> 
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail