|
Posted by H. Steuer on August 4, 2008, 3:00 pm
Please log in for more thread options
hi guys,
is there any way to capture traffic that is encapsulated into esp?
that somehow means to look "inside" of the esp packet. when capturing
the traffic on the outside interface, i can only see the encapsulated
traffic by default.
as far as i know, ipsec traffic passes 2 times through the ACL ruleset
of the outside interface, one time encapsulated, one time decapsulated.
i hoped that when the packets pass the interface for the second time
(decrypted) I will be able to capture it but that does not seem to be
the case.
is there a way to capture traffic which leaves the traffic inside of an
ipsec tunnel? unfortunately google was not my friend for that question.
thanks alot for your help,
/Heri
|
|
Posted by News Reader on August 4, 2008, 8:03 pm
Please log in for more thread options
H. Steuer wrote:
> hi guys,
>
> is there any way to capture traffic that is encapsulated into esp?
> that somehow means to look "inside" of the esp packet. when capturing
> the traffic on the outside interface, i can only see the encapsulated
> traffic by default.
>
> as far as i know, ipsec traffic passes 2 times through the ACL ruleset
> of the outside interface, one time encapsulated, one time decapsulated.
>
> i hoped that when the packets pass the interface for the second time
> (decrypted) I will be able to capture it but that does not seem to be
> the case.
>
> is there a way to capture traffic which leaves the traffic inside of an
> ipsec tunnel? unfortunately google was not my friend for that question.
>
>
> thanks alot for your help,
> /Heri
I believe Wireshark can decrypt ESP packets if you provide it with the keys.
Navigate as follows:
Edit menu | Preferences | Protocols | ESP | etc.
Check with the Wireshark forum if you need support.
Best Regards,
News Reader
|
| Similar Threads | Posted |
| capture content of ipsec traffic on the engress interface | August 4, 2008, 3:00 pm |
| PIX capture pppoe traffic | August 30, 2006, 5:10 am |
| Restricting IPSEC traffic | July 7, 2006, 6:33 am |
| cisco 876 IPSec with one interface | October 12, 2006, 3:25 pm |
| allowing IPSEC traffic through Pix 515E | February 7, 2005, 12:07 pm |
| PIX lan-to-lan IPSEC comes up...no traffic passes tunnel | November 2, 2005, 6:28 pm |
| PIX Ipsec VPN - SA established, no traffic passes | May 3, 2007, 2:34 pm |
| IPSec Tunnels set up, but can't pass traffic | August 9, 2007, 5:20 pm |
| GRE/IPSEC Tunnel and loopback interface | April 30, 2007, 7:01 am |
| Router-generated traffic encrypted by IPSEC? | September 25, 2005, 4:43 am |
| Rather complicated PIX, ipsec, and multiple interface question... | July 2, 2005, 11:57 pm |
| Cisco 2811 to Windows 2003 IpSec tunnel - SAs fine but no traffic... | March 3, 2006, 4:10 pm |
| traffic routing between serial and dsl interface | October 5, 2005, 11:36 am |
| Route voip traffic to different interface | October 19, 2007, 12:15 pm |
| cisco VPN ipsec tunnel virtual interface operation detail question | July 28, 2006, 2:57 pm |
capture content of ipsec traffic on the engress interface
Yahoo!
Google
Windows Live
del.icio.us
digg
Netscape
>
> is there any way to capture traffic that is encapsulated into esp?
> that somehow means to look "inside" of the esp packet. when capturing
> the traffic on the outside interface, i can only see the encapsulated
> traffic by default.
>
> as far as i know, ipsec traffic passes 2 times through the ACL ruleset
> of the outside interface, one time encapsulated, one time decapsulated.
>
> i hoped that when the packets pass the interface for the second time
> (decrypted) I will be able to capture it but that does not seem to be
> the case.
>
> is there a way to capture traffic which leaves the traffic inside of an
> ipsec tunnel? unfortunately google was not my friend for that question.
>
>
> thanks alot for your help,
> /Heri