Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 3408] New: Add IKEv2 decryption support

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sat, 11 Apr 2009 09:39:18 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3408

           Summary: Add IKEv2 decryption support
           Product: Wireshark
           Version: SVN
          Platform: x86
        OS/Version: Ubuntu
            Status: NEW
          Severity: Enhancement
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: piyomaru3141@xxxxxxxxx



Naoyoshi Ueda <piyomaru3141@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2930|                            |review_for_checkin?
               Flag|                            |


Created an attachment (id=2930)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=2930)
Patch to add ability to decrypt IKEv2 packets

Build Information:
wireshark 1.1.4 (SVN Rev 28026)

Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.12.9, with GLib 2.16.6, with libpcap 0.9.8, with libz
1.2.3.3, with POSIX capabilities (Linux), with libpcre 7.4, with SMI 0.4.5,
with
c-ares 1.5.1, with Lua 5.1, with GnuTLS 2.0.4, with Gcrypt 1.2.4, with MIT
Kerberos, with GeoIP, with PortAudio V19-devel (built Mar 12 2008), without
AirPcap.

Running on Linux 2.6.24-23-generic, with libpcap version 0.9.8, GnuTLS 2.0.4,
Gcrypt 1.2.4.

Built using gcc 4.2.4 (Ubuntu 4.2.4-1ubuntu3).

--
Hello all,

Currently wireshark has ability to decrypt ISAKMP IKEv1 packets, but not IKEv2
packets.

With attached patch decryption of IKEv2 packets is now passible. 

Go to ISAKMP protocol preference and open an user accessible table named "IKEv2
decryption table". You can enter necessary information here (See RFC4306 for
the meaning of the following security parameters.): 
* initiator's SPI and responder's SPI (to specify a IKE_SA)
* SK_ei, SK_er and encryption algorithm of that IKE_SA (to decrypt)
* SK_ai, SK_ar and integrity algorithm of that IKE_SA (to specify the length of
the integrity checksum data and to check it)

To decrypt the attached trace file, enter the following values to the fields or
copy the attached ikev2_decryption_table file to your wireshark's profile
directory.

Initiator's SPI: aff6db6e592cc5db
Responder's SPI: b51a2eea952e47b8
SK_ei: 488401536b1afe26807e4f6e9211479a
SK_er: 0495a65d403390a7e5a7ae3242cd8603
Encryption Algorithm: AES-CBC-128 [RFC3602]
SK_ai: 3A26B01B13A156F24AB30439615782BCB2AEA760
SK_ar: F3AC1B7FD65401D18FC221BAE7B1FDA22C1C9774
Integrity Algorithm: HMAC_SHA1_96 [RFC2404]

I used not only the attached trace file but also other trace files to check my
code, however, unfortunately I can't send them for privacy reason.

So, I'd appreciate it if you add sample trace files and necessary parameters.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube