tcpdump and esp packets
Hi all, I guess it's OT, again.. but I need it quite quickly... ... I need to capture and decrypt esp packets to see, what's in ... anybody an idea ? I already have downloaded and installed the latest libcrypt ( openssl ), the latestet tcpdump ( I had to change the "configure" file to get "des_cbc_encrypt" implemented ) and the latest libpcap ... Now, I tried following : tcpdump -i eth0 -w dump.cap -n -vv -E des-cbc:shared-secret ip proto 50 or ip proto 51 or udp port 500 or udp port 4500 I see all the ESP packets but I can't see, if it's just a ping, or anything else... I also tried : tcpdump -i eth0 -w dump-cap -n -vv -E des-cbc:shared-secret esp host IPADDRESSOFTHEREMOTE-SECURED-HOST but didn't work at all... any ideas ? Many thanks, Alex
Hi, nobody a idea ? I really need it .. I tried the syntax mentioned at the manual page but I don't see decrypted esp packets at all .. Usuall, it sould work with : tcpdump -w dump.log -vv -E des:sharedsecret esp host <dsthost> But all I get is : tcpdump: 'esp' modifier applied to host -Alex bleonhardt@analytek.de schrieb am 29.07.2004 14:25:12:
Hi all,
I guess it's OT, again.. but I need it quite quickly...
... I need to capture and decrypt esp packets to see, what's in ... anybody an idea ?
I already have downloaded and installed the latest libcrypt ( openssl ),
the latestet tcpdump ( I had to change the "configure" file to get "des_cbc_encrypt" implemented ) and the latest libpcap ...
Now, I tried following :
tcpdump -i eth0 -w dump.cap -n -vv -E des-cbc:shared-secret ip proto 50 or ip proto 51 or udp port 500 or udp port 4500
I see all the ESP packets but I can't see, if it's just a ping, or anything else...
I also tried :
tcpdump -i eth0 -w dump-cap -n -vv -E des-cbc:shared-secret esp host IPADDRESSOFTHEREMOTE-SECURED-HOST
but didn't work at all...
any ideas ?
Many thanks, Alex
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
try 'esp and host <dsthost>' -- Jim Clausing GCFA, GCIA, CISSP, CCSA On or about Fri, 30 Jul 2004, bleonhardt@analytek.de pontificated thusly:
Hi,
nobody a idea ?
I really need it .. I tried the syntax mentioned at the manual page but I don't see decrypted esp packets at all ..
Usuall, it sould work with :
tcpdump -w dump.log -vv -E des:sharedsecret esp host <dsthost>
But all I get is :
tcpdump: 'esp' modifier applied to host
-Alex
bleonhardt@analytek.de schrieb am 29.07.2004 14:25:12:
Hi all,
I guess it's OT, again.. but I need it quite quickly...
... I need to capture and decrypt esp packets to see, what's in ... anybody an idea ?
I already have downloaded and installed the latest libcrypt ( openssl ),
the latestet tcpdump ( I had to change the "configure" file to get "des_cbc_encrypt" implemented ) and the latest libpcap ...
Now, I tried following :
tcpdump -i eth0 -w dump.cap -n -vv -E des-cbc:shared-secret ip proto 50 or ip proto 51 or udp port 500 or udp port 4500
I see all the ESP packets but I can't see, if it's just a ping, or anything else...
I also tried :
tcpdump -i eth0 -w dump-cap -n -vv -E des-cbc:shared-secret esp host IPADDRESSOFTHEREMOTE-SECURED-HOST
but didn't work at all...
any ideas ?
Many thanks, Alex
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (2)
-
bleonhardt@analytek.de -
Jim Clausing