Wireshark · Ethereal-dev: [Ethereal-dev] data dissection in ESP

Ethereal-dev: [Ethereal-dev] data dissection in ESP_NULL packets

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Thomas Anders <thomas.anders@xxxxxxxxxxxxx>

Date: Fri, 18 Jun 2004 15:13:14 +0200

I'm looking for a way to better dissect ESP (RFC2406) packets in transport
mode with NULL encryption (RFC2410 ESP_NULL). Currently, packet-ipsec.c
only dissects SPI and sequence number and leaves the remaining bytes as "Data".

Now, if I know
- it's NULL encryption
- the authentication algorithm (RFC2404 HMAC-SHA-1-96 or RFC2403 HMAC-MD5-96)
- the dissector for the (encapsulated) protocol
I *should* be able to fully dissect the packet easily. What's the proper way
to do this?

A few considerations:
- Store a list of (IP address, SPI) and negotiated ciphersuite if the initial
  key management is part of the capture and use that?
- Offer preference settings to set a default ciphersuite and use that?
- How to best find/call the dissector for the (encapsulated) protocol?
- The chosen approach should possibly allow decryption of non-NULL encrypted
  packets later (once we finally have a crypto framework in place ;)).

Your feedback is highly appreciated.


+Thomas

--
Thomas Anders (thomas.anders at blue-cable.de)

Prev by Date: [Ethereal-dev] tethereal -G reports duplicated fields
Next by Date: [Ethereal-dev] Passing values down the packet list in same dissector.
Previous by thread: RE: [Ethereal-dev] tethereal -G reports duplicated fields
Next by thread: [Ethereal-dev] Passing values down the packet list in same dissector.
Index(es):
- Date
- Thread