At 04:00 PM 8/30/2004, Helen C. OBoyle wrote:
>I have captured a bunch of ESP packets which contain SMB and other traffic via NetMon, which seems to have been nice enough to decrypt the packets for me, so that when I open the capture files in Ethereal, I see recognizable fields in the packets.
>
>I'd like to do my perusal in Ethereal due to its nice display of protocol packet fields, but Ethereal sees ESP and writes the interesting stuff off as "Data", even though it REALLY contains other packets which could be parsed if Ethereal would look inside the Data area and interpret what it sees.
>
>Has someone already implemented this? Will ethereal already do this if I just know the right menu option to select?
If Netmon is capable of this, I'm sure NSA would like to know (not that they need any help).
Netmon is seeing the packets *after* IPSec shim decrypted the packet. For example, if you used Ethereal to use the VPN adapter as the "capture" adapter, you would see the same info.
If you *are* seeing clear text inside the ESP packet, your IPSec is wholly broken.
hsb
