Wireshark · Wireshark-users: Re: [Wireshark-users] OpenBSD enc0 capture from tcpdump failes to decode

Wireshark-users: Re: [Wireshark-users] OpenBSD enc0 capture from tcpdump failes to decode

From: Guy Harris <guy@xxxxxxxxxxxx>

Date: Fri, 25 Sep 2009 11:53:39 -0700


On Sep 21, 2009, at 8:38 PM, Brad Guillory wrote:

# hexdump /tmp/esp2-cut.pcap
0000000 c3d4 a1b2 0002 0004 0000 0000 0000 0000
0000010 07d0 0000 000d

                    ^^^^

BSD/OS SLIP?  That's certainly an odd link-layer type....

Unfortunately, there are a few DLT_ values that don't mean the samething in all OSes. 13 is one of them; in FreeBSD and NetBSD, forexample, it means BSD/OS SLIP, whereas, in OpenBSD, it means"encapsulated IPSec packets" - and, in BSD/OS itself, it meant RFC1483-encapsulated ATM.

It's really really unfortunate that this happened; that's why libpcapfrom tcpdump.org, as opposed to libpcap from OpenBSD, will write out"encapsulated IPSec packets" captures with a DLT_ value of 109, whichis a value *not* used for any other purpose.

# tcpdump -r /tmp/esp2-cut.pcap -X
tcpdump: WARNING: snaplen raised from 96 to 2000
23:37:42.887582 (authentic,confidential): SPI 0x2535b0d7:192.168.9.70.5900 > 192.168.255.2.52761: P 671211301:671211581(280)ack 1486745460 win 33156 <nop,nop,timestamp 293230792 225510712>(DF) (encap)

That's presumably tcpdump on your OpenBSD machine; tcpdump on my Macfails:


	$ tcpdump -n -r /tmp/esp2-cut.pcap
	reading from file /tmp/esp2-cut.pcap, link-type 13
	tcpdump: unknown data link type 13

as does tcpdump.org tcpdump built from source with tcpdump.org'slibpcap:


	$ ./tcpdump -n -r /tmp/esp2-cut.pcap
	reading from file /tmp/esp2-cut.pcap, link-type 13
	tcpdump: unknown data link type 13

Now, given that BSD/OS died a while ago, we could just treat a link-layer type of 13 as "encapsulated IPSec packets". (Of course, OpenBSDcould just write them out with a link-layer type of 109 in the file,too - nothing *requires* that the value returned by pcap_datalink()and the value in the file be the same, and, in fact, tcpdump.org'slibpcap maps them, precisely to *avoid* this problem.)


Try changing

#if defined(DLT_ATM_RFC1483) && (DLT_ATM_RFC1483 == 13)
	{ 13,		WTAP_ENCAP_ATM_RFC1483 },
#elif defined(DLT_ENC) && (DLT_ENC == 13)
	{ 13,		WTAP_ENCAP_ENC },
#endif

in wiretap/pcap-common.c in the Wireshark source to just

	{ 13,		WTAP_ENCAP_ENC },

and recompiling.

References:
- [Wireshark-users] OpenBSD enc0 capture from tcpdump failes to decode
  - From: Brad Guillory

Prev by Date: Re: [Wireshark-users] print number of packet based on filter in a file
Next by Date: Re: [Wireshark-users] OpenBSD enc0 capture from tcpdump failes to decode
Previous by thread: [Wireshark-users] OpenBSD enc0 capture from tcpdump failes to decode
Next by thread: Re: [Wireshark-users] OpenBSD enc0 capture from tcpdump failes to decode
Index(es):
- Date
- Thread