Wireshark-users: [Wireshark-users] OpenBSD enc0 capture from tcpdump failes to decode
From: Brad Guillory <brad@xxxxxxxxx>
Date: Mon, 21 Sep 2009 21:38:23 -0600
I am trying to do some debugging on our VPN. We have a hub and spoke
topology so it should be simple. Unfortunately my favorite protocol
analyzer doesn't decode the packets.
On the hub (OpenBSD 4.3) I capture packets from enc0 using tcpdump (I don't know the version but according to the output file it is 2.4). tcpdump can decode the packets without trouble, but tshark (on my Mac) fails to decode. I have included the following:
- hexdump of capture file - tcpdump decode of capture file - tshark decode of capture file - output from tshark -vI will also try to attach my pcap file; but I don't know if the mailing list allows for attachments.
I am willing to try to write a decoder if that is what it takes; but I hope that there is an easier solution.
Thanks, BMG # hexdump /tmp/esp2-cut.pcap 0000000 c3d4 a1b2 0002 0004 0000 0000 0000 0000 0000010 07d0 0000 000d 0000 b196 4ab5 8b1e 000d 0000020 016c 0000 016c 0000 0002 0000 3525 d7b0 0000030 0c00 0000 0045 6001 1eaf 0000 0436 85e5 0000040 46a6 49ad ac62 ba38 0045 4c01 d332 0040 0000050 063f 3f7e a8c0 4609 a8c0 02ff 0c17 19ce 0000060 0128 25df 9d58 74ef 1880 8481 478d 0000 0000070 0101 0a08 7a11 c858 710d 3805 0000 0100 0000080 c802 0000 2000 1800 0000 f303 0000 2d00 0000090 0f00 0019 0a00 6c65 8036 4a0f 875f 2c4d 00000a0 5825 02e3 59e7 1031 6024 a00b 107c 5810 00000b0 7817 b80b a07e fa7e 965d e371 0068 0000 00000c0 0001 0000 0300 008d 0008 0300 00f3 0000 00000d0 0138 130e 0000 0000 0000 0000 aa00 aaaa 00000e0 aaaa aaaa aaaa aaaa aaaa 8587 294f 40c3 00000f0 c25b 4299 6f26 9c14 3281 2494 c000 506a 0000100 0000 0000 0d00 ceae 0060 0000 0201 00c8 0000110 0000 0020 0018 0300 00f3 0000 002b 190f 0000120 0000 650a 366c 0f80 5f4a 0d97 2da8 6817 0000130 ee4d 12c8 0538 3ed0 0808 0b3c 05c8 3fdc 0000140 3f50 2e7d 38cb b4f1 0000 0100 0000 0000 0000150 8d03 0800 0000 f303 0000 3800 0e01 0013 0000160 0000 0000 0000 0000 aaaa aaaa aaaa aaaa 0000170 aaaa aaaa 87aa 8f81 c33b 896c 932a 93a4 0000180 91bb c536 9432 0324 3560 0028 0000 0000 0000190 d706 3067 0000194 # tcpdump -r /tmp/esp2-cut.pcap -X tcpdump: WARNING: snaplen raised from 96 to 200023:37:42.887582 (authentic,confidential): SPI 0x2535b0d7: 192.168.9.70.5900 > 192.168.255.2.52761: P 671211301:671211581(280) ack 1486745460 win 33156 <nop,nop,timestamp 293230792 225510712> (DF) (encap)
0000: 4500 0160 af1e 0000 3604 e585 a646 ad49 E..`¯...6.å.¦F I 0010: 62ac 38ba 4500 014c 32d3 4000 3f06 7e3f b¬8ºE..L2Ó@.?.~? 0020: c0a8 0946 c0a8 ff02 170c ce19 2801 df25 À¨.FÀ¨ÿ...Î.(.ß% 0030: 589d ef74 8018 8184 8d47 0000 0101 080a X.ït.....G...... 0040: 117a 58c8 0d71 0538 0000 0001 02c8 0000 .zXÈ.q.8.....È.. 0050: 0020 0018 0000 03f3 0000 002d 000f 1900 . .....ó...-.... 0060: 000a 656c 3680 0f4a 5f87 4d2c 2558 e302 ..el6..J_.M,%Xã. 0070: e759 3110 2460 0ba0 7c10 1058 1778 0bb8 çY1.$`. |..X.x.¸ 0080: 7ea0 7efa 5d96 71e3 6800 0000 0100 0000 ~ ~ú].qãh....... 0090: 0003 8d00 0800 0003 f300 0000 3801 0e13 ........ó...8... 00a0: 0000 0000 0000 0000 00aa aaaa aaaa aaaa .........ªªªªªªª 00b0: aaaa aaaa aaaa 8785 4f29 c340 5bc2 9942 ªªªªªª..O)Ã@[Â.B 00c0: 266f 149c 8132 9424 00c0 6a50 0000 0000 &o...2.$.ÀjP.... 00d0: 000d aece 6000 0000 0102 c800 0000 2000 ..®Î`.....È... . 00e0: 1800 0003 f300 0000 2b00 0f19 0000 0a65 ....ó...+......e 00f0: 6c36 800f 4a5f 970d a82d 1768 4dee c812 l6..J_..¨-.hMîÈ. 0100: 3805 d03e 0808 3c0b c805 dc3f 503f 7d2e 8.Ð>..<.È.Ü?P?}. 0110: cb38 f1b4 0000 0001 0000 0000 038d 0008 Ë8ñ´............ 0120: 0000 03f3 0000 0038 010e 1300 0000 0000 ...ó...8........ 0130: 0000 0000 aaaa aaaa aaaa aaaa aaaa aaaa ....ªªªªªªªªªªªª 0140: aa87 818f 3bc3 6c89 2a93 a493 bb91 36c5 ª...;Ãl.*.¤.».6Å 0150: 3294 2403 6035 2800 0000 0000 06d7 6730 2.$.`5(......×g0 # tshark -r ~/Desktop/esp2-cut.pcap -x 1 0.000000 -> UNKNOWN WTAP_ENCAP = 0 0000 02 00 00 00 25 35 b0 d7 00 0c 00 00 45 00 01 60 ....%5......E..` 0010 af 1e 00 00 36 04 e5 85 a6 46 ad 49 62 ac 38 ba ....6....F.Ib.8. 0020 45 00 01 4c 32 d3 40 00 3f 06 7e 3f c0 a8 09 46 E..L2.@.?.~?...F 0030 c0 a8 ff 02 17 0c ce 19 28 01 df 25 58 9d ef 74 ........(..%X..t 0040 80 18 81 84 8d 47 00 00 01 01 08 0a 11 7a 58 c8 .....G.......zX. 0050 0d 71 05 38 00 00 00 01 02 c8 00 00 00 20 00 18 .q.8......... .. 0060 00 00 03 f3 00 00 00 2d 00 0f 19 00 00 0a 65 6c .......-......el 0070 36 80 0f 4a 5f 87 4d 2c 25 58 e3 02 e7 59 31 10 6..J_.M,%X...Y1. 0080 24 60 0b a0 7c 10 10 58 17 78 0b b8 7e a0 7e fa $`..|..X.x..~.~. 0090 5d 96 71 e3 68 00 00 00 01 00 00 00 00 03 8d 00 ].q.h........... 00a0 08 00 00 03 f3 00 00 00 38 01 0e 13 00 00 00 00 ........8....... 00b0 00 00 00 00 00 aa aa aa aa aa aa aa aa aa aa aa ................ 00c0 aa aa 87 85 4f 29 c3 40 5b c2 99 42 26 6f 14 9c ....O).@[..B&o.. 00d0 81 32 94 24 00 c0 6a 50 00 00 00 00 00 0d ae ce .2.$..jP........ 00e0 60 00 00 00 01 02 c8 00 00 00 20 00 18 00 00 03 `......... ..... 00f0 f3 00 00 00 2b 00 0f 19 00 00 0a 65 6c 36 80 0f ....+......el6.. 0100 4a 5f 97 0d a8 2d 17 68 4d ee c8 12 38 05 d0 3e J_...-.hM...8..> 0110 08 08 3c 0b c8 05 dc 3f 50 3f 7d 2e cb 38 f1 b4 ..<....?P?}..8.. 0120 00 00 00 01 00 00 00 00 03 8d 00 08 00 00 03 f3 ................ 0130 00 00 00 38 01 0e 13 00 00 00 00 00 00 00 00 00 ...8............ 0140 aa aa aa aa aa aa aa aa aa aa aa aa aa 87 81 8f ................ 0150 3b c3 6c 89 2a 93 a4 93 bb 91 36 c5 32 94 24 03 ;.l.*.....6.2.$. 0160 60 35 28 00 00 00 00 00 06 d7 67 30 `5(.......g0 # tshark -v TShark 1.2.2 (SVN Rev 29910)Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GLib 2.16.3, with libpcap 0.9.5, with libz 1.2.3, without POSIX capabilities, with libpcre 7.8, with SMI 0.4.8, with c-ares 1.5.3, with Lua 5.1,
with GnuTLS 2.6.2, with Gcrypt 1.4.3, with MIT Kerberos, without GeoIP.Running on Darwin 9.8.0 (MacOS 10.5.8), with libpcap version 0.9.5, GnuTLS
2.6.2, Gcrypt 1.4.3. Built using gcc 4.0.1 (Apple Inc. build 5488). ##### Note: I tried a development version also but it pukes even worse: 1 0.000000 -> UNKNOWN WTAP_ENCAP = 0 **** ERROR:(print.c:790):print_hex_data: assertion failed: (edt- >pi.data_src)
Abort trap -- TShark 1.3.0 (SVN Rev 29912 from /trunk)Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GLib 2.16.3, with libpcap 0.9.5, with libz 1.2.3, without POSIX capabilities, with libpcre 7.8, with SMI 0.4.8, with c-ares 1.5.3, with Lua 5.1, without Python, with GnuTLS 2.6.2, with Gcrypt 1.4.3, with MIT Kerberos, without
GeoIP.Running on Darwin 9.8.0 (MacOS 10.5.8), with libpcap version 0.9.5, GnuTLS
2.6.2, Gcrypt 1.4.3. Built using gcc 4.0.1 (Apple Inc. build 5488).
Attachment:
esp2-cut.pcap
Description: Binary data
- Follow-Ups:
- Prev by Date: Re: [Wireshark-users] WireShark-1.2.X + WinPcap-4.0.2=APPCRASH@xxxxxxxxxxx
- Next by Date: [Wireshark-users] [wirshark-users]missing packet in promiscuous capture mode
- Previous by thread: Re: [Wireshark-users] [Ubuntu-Wireshark1.2.2-SIP] I cannot see some packets with a basic capture filter and I'm able to see them without the filter...
- Next by thread: Re: [Wireshark-users] OpenBSD enc0 capture from tcpdump failes to decode
- Index(es):