Wireshark-dev: [Wireshark-dev] [Patch] : IPsec
From: Frédéric Roudaut <frederic.roudaut@xxxxxxx>
Date: Wed, 20 Dec 2006 16:01:06 +0100
Hi,This is a patch for the IPsec dissector in order to update/correct the following points:
- Fixes for TWOFISH-CBC with keylen 128 bits. - Add CAST5-CBC - Add HMAC-RIPEMD160-96 - Fixes for AES-CTR that was completely broken- Code Update : Encryption, Authentication are now in separated functions. It seems easier to add new algorithms. Just modify the ESP Context function and enhance the Encrypt or Authentication function according to the algorithm. - The IV field is no more decrypted. (Instead it is set in the cipher object)
- the authentication field remains in the main tree that is not decrypted. Best Regards,ps: In attachment you will also get a dump with all the available algorithms for FuzzTesting. It also contains a packet (a tunnel of tunnel of ..) with all the different algorithms and a Configure file to set the keys/algorithms. The packets have been generated using an Extension to Scapy I have done to handle IPsec. See http://roudaut.frederic.free.fr/data/scapysec/doc/scapysec.html if needed
--- Frederic Roudaut
Attachment:
capture.pcap
Description: Binary data
# Configuration file for Wireshark 0.99.5. # # This file is regenerated each time preferences are saved within # Wireshark. Making manual changes should be safe, however. ######## User Interface ######## # Vertical scrollbars should be on right side? # TRUE or FALSE (case-insensitive). gui.scrollbar_on_right: TRUE # Packet-list selection bar can be used to browse w/o selecting? # TRUE or FALSE (case-insensitive). gui.packet_list_sel_browse: FALSE # Protocol-tree selection bar can be used to browse w/o selecting? # TRUE or FALSE (case-insensitive). gui.protocol_tree_sel_browse: FALSE # Alternating colors in TreeViews? # TRUE or FALSE (case-insensitive). gui.tree_view_altern_colors: FALSE # Place filter toolbar inside the statusbar? # TRUE or FALSE (case-insensitive). gui.filter_toolbar_show_in_statusbar: FALSE # Protocol-tree line style. # One of: NONE, SOLID, DOTTED, TABBED gui.protocol_tree_line_style: NONE # Protocol-tree expander style. # One of: NONE, SQUARE, TRIANGLE, CIRCULAR gui.protocol_tree_expander_style: SQUARE # Hex dump highlight style. # One of: BOLD, INVERSE gui.hex_dump_highlight_style: INVERSE # Main Toolbar style. # One of: ICONS, TEXT, BOTH gui.toolbar_main_style: ICONS # Save window position at exit? # TRUE or FALSE (case-insensitive). gui.geometry.save.position: FALSE # Save window size at exit? # TRUE or FALSE (case-insensitive). gui.geometry.save.size: TRUE # Save window maximized state at exit (GTK2 only)? # TRUE or FALSE (case-insensitive). gui.geometry.save.maximized: TRUE # Open a console window (WIN32 only)? # One of: NEVER, AUTOMATIC, ALWAYS gui.console_open: NEVER # The max. number of items in the open recent files list. # A decimal number. gui.recent_files_count.max: 10 # Where to start the File Open dialog box. # One of: LAST_OPENED, SPECIFIED gui.fileopen.style: LAST_OPENED # Directory to start in when opening File Open dialog. gui.fileopen.dir: # The preview timeout in the File Open dialog. # A decimal number (in seconds). gui.fileopen.preview: 3 # Ask to save unsaved capture files? # TRUE or FALSE (case-insensitive). gui.ask_unsaved: TRUE # Wrap to beginning/end of file during search? # TRUE or FALSE (case-insensitive). gui.find_wrap: TRUE # Settings dialogs use a save button? # TRUE or FALSE (case-insensitive). gui.use_pref_save: FALSE # The path to the webbrowser. # Ex: mozilla %s gui.webbrowser: mozilla %s # Custom window title. (Prepended to existing titles.) gui.window_title: Fred - ######## User Interface: Layout ######## # Layout type (1-6). gui.layout_type: 1 # Layout content of the panes (1-3). # One of: NONE, PLIST, PDETAILS, PBYTES gui.layout_content_1: PLIST gui.layout_content_2: PDETAILS gui.layout_content_3: PBYTES ######## User Interface: Columns ######## # Packet list column format. # Each pair of strings consists of a column title and its format. column.format: "No.", "%m", "Time", "%t", "Source", "%s", "Destination", "%d", "Protocol", "%p", "Info", "%i" ######## User Interface: Font ######## # Font name for packet list, protocol tree, and hex dump panes (GTK version 1). gui.font_name: -misc-fixed-medium-r-semicondensed-*-*-100-*-*-*-*-iso8859-1 # Font name for packet list, protocol tree, and hex dump panes (GTK version 2). gui.gtk2.font_name: Monospace 10 ######## User Interface: Colors ######## # Color preferences for a marked frame. # Each value is a six digit hexadecimal color value in the form rrggbb. gui.marked_frame.fg: ffffff gui.marked_frame.bg: 000000 # TCP stream window color preferences. # Each value is a six digit hexadecimal color value in the form rrggbb. stream.client.fg: 7f0000 stream.client.bg: fbeded stream.server.fg: 00007f stream.server.bg: ededfb ######## Console: logging level ######## # (debugging only, not in the Preferences dialog) # A bitmask of glib log levels: # G_LOG_LEVEL_ERROR = 4 # G_LOG_LEVEL_CRITICAL = 8 # G_LOG_LEVEL_WARNING = 16 # G_LOG_LEVEL_MESSAGE = 32 # G_LOG_LEVEL_INFO = 64 # G_LOG_LEVEL_DEBUG = 128 console.log.level: 28 ####### Capture ######## # Default capture device capture.device: ath0 # Capture in promiscuous mode? # TRUE or FALSE (case-insensitive). capture.prom_mode: TRUE # Update packet list in real time during capture? # TRUE or FALSE (case-insensitive). capture.real_time_update: TRUE # Scroll packet list during capture? # TRUE or FALSE (case-insensitive). capture.auto_scroll: FALSE # Show capture info dialog while capturing? # TRUE or FALSE (case-insensitive). capture.show_info: TRUE ######## Printing ######## # Can be one of "text" or "postscript". print.format: text # Can be one of "command" or "file". print.destination: command # This is the file that gets written to when the destination is set to "file" print.file: wireshark.out # Output gets piped to this command when the destination is set to "command" print.command: lpr ####### Name Resolution ######## # Resolve addresses to names? # TRUE or FALSE (case-insensitive), or a list of address types to resolve. name_resolve: mt # Name resolution concurrency. # A decimal number. name_resolve_concurrency: 500 ####### Protocols ######## # Enable this option to recognise all traffic on RTP dynamic payload type 96 (0x60) as FEC data corresponding to Pro-MPEG Code of Practice #3 release 2 # TRUE or FALSE (case-insensitive). 2dparityfec.enable: FALSE # Enable Architecture for Control Networks dissector (ANSI BSR E1.17) # TRUE or FALSE (case-insensitive). acn.heuristic_acn: FALSE # Enable Streaming DMX extension dissector (ANSI BSR E1.31) # TRUE or FALSE (case-insensitive). acn.dmx_enable: FALSE # Display format # One of: Hex , Decimal, Percent # (case-insensitive). acn.dmx_display_view: Hex # Display zeros instead of dots # TRUE or FALSE (case-insensitive). acn.dmx_display_zeros: FALSE # Display leading zeros on levels # TRUE or FALSE (case-insensitive). acn.dmx_display_leading_zeros: FALSE # Set the UDP port for AudioCodes Trunk Traces.Use http://x.x.x.x/TrunkTraces to enable the traces in the Blade # A decimal number. actrace.udp_port: 2428 # Set the TCP port for AgentX(if other than the default of 705) # A decimal number. agentx.tcp.agentx_port: 705 # Whether the AH payload decode should be placed in a subtree # TRUE or FALSE (case-insensitive). ah.place_ah_payload_in_subtree: FALSE # Whether the AIM dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). aim.desegment: TRUE # Whether that payload of UDP packets with a specific destination port should be automatically dissected as ALC packets # TRUE or FALSE (case-insensitive). alc.default.udp_port.enabled: FALSE # Specifies the UDP destination port for automatic dissection of ALC packets # A decimal number. alc.default.udp_port: 4001 # Whether the LCT header Codepoint field should be considered the FEC Encoding ID of carried object # TRUE or FALSE (case-insensitive). alc.lct.codepoint_as_fec_id: TRUE # How to decode LCT header extention 192 # One of: Don't decode, Decode as FLUTE extension (EXT_FDT) # (case-insensitive). alc.lct.ext.192: Decode as FLUTE extension (EXT_FDT) # How to decode LCT header extention 193 # One of: Don't decode, Decode as FLUTE extension (EXT_CENC) # (case-insensitive). alc.lct.ext.193: Decode as FLUTE extension (EXT_CENC) # Whether persistent call leg information is to be kept # TRUE or FALSE (case-insensitive). alcap.leg_info: TRUE # The dynamic payload type which will be interpreted as AMR # A decimal number. amr.dynamic.payload.type: 0 # Type of AMR encoding of the payload # One of: RFC 3267 octet aligned, RFC 3267 BW-efficient, AMR IF1, AMR IF2 # (case-insensitive). amr.encoding.version: RFC 3267 BW-efficient # (if other than the default of IOS 4.0.1) # One of: IS-634 rev. 0, TSB-80, IS-634-A, IOS 2.x, IOS 3.x, IOS 4.0.1, IOS 5.0.1 # (case-insensitive). ansi_a_bsmap.global_variant: IOS 4.0.1 # GSM MAP SSNs to decode as ANSI MAP # A string denoting an positive integer range (e.g., "1-20,30-40"). ansi_map.map.ssn: 5-14 # Attempt to detect excessive rate of ARP requests # TRUE or FALSE (case-insensitive). arp.detect_request_storms: FALSE # Number of requests needed within period to indicate a storm # A decimal number. arp.detect_storm_number_of_packets: 30 # Period in milliseconds during which a packet storm may be detected # A decimal number. arp.detect_storm_period: 100 # The UDP port on which Art-Net packets will be sent # A decimal number. artnet.udp_port: 6454 # The way DMX values are displayed # One of: Percent, Hexadecimal, Decimal # (case-insensitive). artnet.dmx_disp_chan_val_type: Percent # The way DMX channel numbers are displayed # One of: Hexadecimal, Decimal # (case-insensitive). artnet.dmx_disp_chan_nr_type: Hexadecimal # The number of columns for the DMX display # One of: 6, 10, 12, 16, 24 # (case-insensitive). artnet.dmx_disp_col_count: 16 # The TCP ports on which ASN.1 messages will be read # A string denoting an positive integer range (e.g., "1-20,30-40"). asn1.tcp_ports: 0 # The UDP ports on which ASN.1 messages will be read # A string denoting an positive integer range (e.g., "1-20,30-40"). asn1.udp_ports: 0 # The SCTP ports on which ASN.1 messages will be read # A string denoting an positive integer range (e.g., "1-20,30-40"). asn1.sctp_ports: 0 # Desegment ASN.1 messages that span TCP segments # TRUE or FALSE (case-insensitive). asn1.desegment_messages: TRUE # Compiled ASN.1 description of ASN.1 types # A string. asn1.file: # Name of top level PDU # A string. asn1.pdu_name: ASN1 # Offset for non-reassembled packets, wrong if this happens on other than the first packet! # A decimal number. asn1.first_pdu_offset: 0 # Show full names for all values # TRUE or FALSE (case-insensitive). asn1.flat: FALSE # Allow this recursion level for eliminated type references # One of: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 # (case-insensitive). asn1.type_recursion: 1 # Extra output useful for debuging # TRUE or FALSE (case-insensitive). asn1.debug: FALSE # log to file $TMP/wireshark.log # TRUE or FALSE (case-insensitive). asn1.verbose_log: FALSE # Autodection between LANE and SSCOP is hard. As default LANE is preferred # TRUE or FALSE (case-insensitive). atm.dissect_lane_as_sscop: FALSE # Whether the ATP dissector should reassemble messages spanning multiple DDP packets # TRUE or FALSE (case-insensitive). atp.desegment: TRUE # Set the port for BEEP messages (if other than the default of 10288) # A decimal number. beep.tcp.port: 10288 # Specifies that BEEP requires CRLF as a terminator, and not just CR or LF # TRUE or FALSE (case-insensitive). beep.strict_header_terminator: TRUE # Whether the dissector should also display internal ASN.1 BER details such as Identifier and Length fields # TRUE or FALSE (case-insensitive). ber.show_internals: FALSE # Whether the BGP dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). bgp.desegment: TRUE # BGP dissector detect the length of the AS number in AS_PATH attributes automatically or manually (NOTE: Automatic detection is not 100% accurate) # One of: Auto-detect, 2 octet, 4 octet # (case-insensitive). bgp.asn_len: Auto-detect # Whether the BitTorrent dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). bittorrent.desegment: TRUE # Enabling this will tell which BitTorrent client that produced the handshake message # TRUE or FALSE (case-insensitive). bittorrent.decode_client: FALSE # Novell Servers option 85 can be configured as a string instead of address # TRUE or FALSE (case-insensitive). bootp.novellserverstring: FALSE # The PacketCable CCC protocol version # One of: PKT-SP-PROV-I05-021127, IETF Draft 5, RFC 3495 # (case-insensitive). bootp.pkt.ccc.protocol_version: RFC 3495 # Option Number for PacketCable CableLabs Client Configuration # A decimal number. bootp.pkt.ccc.option: 122 # For the sake of sub-dissectors registering to accept data from the BSSAP/BSAP dissector, this defines whether it is identified as BSSAP or BSAP. # One of: BSSAP, BSAP # (case-insensitive). bssap.bsap_or_bssap: BSSAP # Set Subsystem number used for BSSAP/BSSAP+ # A decimal number. bssap.ssn: 98 # Decode NRI (for use with SGSN in Pool) # TRUE or FALSE (case-insensitive). bssgp.decode_nri: FALSE # NRI length, in bits # A decimal number. bssgp.nri_length: 4 # Whether the ACL dissector should reassemble fragmented PDUs # TRUE or FALSE (case-insensitive). bthci_acl.btacl_reassembly: TRUE # The date format: (DD/MM) or (MM/DD) # One of: DD/MM/YYYY, MM/DD/YYYY # (case-insensitive). camel.date.format: DD/MM/YYYY # TCAP Subsystem numbers used for Camel # A string denoting an positive integer range (e.g., "1-20,30-40"). camel.tcap.ssn: 6-9 # Activate the analyse for Response Time # TRUE or FALSE (case-insensitive). camel.srt: FALSE # Statistics for Response Time # TRUE or FALSE (case-insensitive). camel.persistentsrt: FALSE # Whether the CAST dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). cast.reassembly: TRUE # Set the port for NetFlow messages # A decimal number. cflow.udp.port: 2055 # The type of CHDLC frame checksum (none, 16-bit, 32-bit) # One of: None, 16-Bit, 32-Bit # (case-insensitive). chdlc.fcs_type: None # The version of CIGI with which to dissect packets # One of: From Packet, CIGI 2, CIGI 3 # (case-insensitive). cigi.version: From Packet # The byte order with which to dissect CIGI packets (CIGI3) # One of: From Packet, Big-Endian, Little-Endian # (case-insensitive). cigi.byte_order: From Packet # IPv4 address or hostname of the host # A string. cigi.host: # IPv4 address or hostname of the image generator # A string. cigi.ig: # NSAP selector for Transport Protocol (last byte in hex) # A hexadecimal number. clnp.tp_nsap_selector: 0x21 # Always try to decode NSDU as transport PDUs # TRUE or FALSE (case-insensitive). clnp.always_decode_transport: FALSE # Whether segmented CLNP datagrams should be reassembled # TRUE or FALSE (case-insensitive). clnp.reassemble: TRUE # Whether the CMP-over-TCP dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). cmp.desegment: TRUE # Set the TCP port for COPS messages # A decimal number. cops.tcp.cops_port: 3288 # Whether the COPS dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). cops.desegment: TRUE # Decode the COPS messages using PacketCable clients. (Select port 2126) # TRUE or FALSE (case-insensitive). cops.packetcable: TRUE # Whether segmented COTP datagrams should be reassembled. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). cotp.reassemble: TRUE # How TSAPs should be displayed # One of: As strings if printable, As strings, As bytes # (case-insensitive). cotp.tsap_display: As strings if printable # Set the port for CPFI messages (if other than the default of 5000) # A decimal number. cpfi.udp.port: 5000 # Set the port for InstanceToInstance messages (if other than the default of 5001) # A decimal number. cpfi.udp.port2: 5001 # Control the way the '-->' is displayed. When enabled, keeps the 'lowest valued' endpoint of the src-dest pair on the left, and the arrow moves to distinguish source from dest. When disabled, keeps the arrow pointing right so the source of the frame is always on the left. # TRUE or FALSE (case-insensitive). cpfi.arrow_ctl: TRUE # Set the destination UDP port Cisco wireless IDS messages # A decimal number. cwids.udp.port: 0 # Set the port for DAP operations (if other than the default of 102) # A decimal number. dap.tcp.port: 102 # Whether the DCE/RPC dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). dcerpc.desegment_dcerpc: TRUE # Whether the DCE/RPC dissector should reassemble fragmented DCE/RPC PDUs # TRUE or FALSE (case-insensitive). dcerpc.reassemble_dcerpc: TRUE # Display some DCOM unmarshalled fields usually hidden # TRUE or FALSE (case-insensitive). dcom.display_unmarshalling_details: FALSE # Whether the DCCP summary line should be shown in the protocol tree # TRUE or FALSE (case-insensitive). dcp.summary_in_tree: TRUE # Try to decode a packet using an heuristic sub-dissector before using a sub-dissector registered to a specific port # TRUE or FALSE (case-insensitive). dcp.try_heuristic_first: FALSE # Whether to check the validity of the DCCP checksum # TRUE or FALSE (case-insensitive). dcp.check_checksum: TRUE # If a payload looks like its embedded in an IP primitive message, and there is an wireshark dissector matching the DCT2000 protocol name, try parsing the payload using that dissector # TRUE or FALSE (case-insensitive). dct2000.ipprim_heuristic: TRUE # If a payload looks like its embedded in an SCTP primitive message, and there is an wireshark dissector matching the DCT2000 protocol name, try parsing the payload using that dissector # TRUE or FALSE (case-insensitive). dct2000.sctpprim_heuristic: TRUE # Set the port for DHCP failover communications # A decimal number. dhcpfo.tcp_port: 519 # Whether the DHCP failover dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). dhcpfo.desegment: TRUE # Standard version used for decoding # One of: Diameter base draft version 16 and below, Diameter base RFC 3588 # (case-insensitive). diameter.version: Diameter base RFC 3588 # Set the TCP port for Diameter messages # A decimal number. diameter.tcp.port: 3868 # Set the SCTP port for Diameter messages # A decimal number. diameter.sctp.port: 3868 # Set the dictionary used for Diameter messages # A string. diameter.dictionary.name: /usr/local/share/wireshark/diameter/dictionary.xml # Only attempt to load and use the Diameter XML Dictionary when this option is selected # TRUE or FALSE (case-insensitive). diameter.dictionary.use: TRUE # Whether the Diameter dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). diameter.desegment: TRUE # If set, the value 0 (zero) can be used as a valid application ID. This is used in experimental cases. # TRUE or FALSE (case-insensitive). diameter.allow_zero_as_app_id: TRUE # If console output for errors should be suppressed or not # TRUE or FALSE (case-insensitive). diameter.suppress_console_output: TRUE # Set the UDP port for DIS messages # A decimal number. dis.udp.port: 3000 # Set the port for DISP operations (if other than the default of 102) # A decimal number. disp.tcp.port: 102 # Set the TCP port for DISTCC messages # A decimal number. distcc.tcp.port: 3632 # Whether the DISTCC dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). distcc.desegment_distcc_over_tcp: TRUE # Primary port number used for DMP traffic # A decimal number. dmp.udp_port: 0 # Second port number used for DMP traffic (0 to disable) # A decimal number. dmp.udp_port_second: 0 # Align identifiers in info list # TRUE or FALSE (case-insensitive). dmp.align_ids: FALSE # Print subject as body id in free text messages with subject # TRUE or FALSE (case-insensitive). dmp.subject_as_id: FALSE # Format of the structured message id # One of: None, 1 Byte value, 2 Byte value, 4 Byte value, 8 Byte value, Fixed text string, Zero terminated text string # (case-insensitive). dmp.struct_print: None # Used to set where the structured message id starts in the User Data # A decimal number. dmp.struct_offset: 0 # Used to set length of fixed text string in the structured message id format (maximum 128 characters) # A decimal number. dmp.struct_length: 1 # Whether the DNS dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). dns.desegment_dns_messages: TRUE # Set the port for DOP operations (if other than the default of 102) # A decimal number. dop.tcp.port: 102 # Whether the DSI dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). dsi.desegment: TRUE # Set the port for DSP operations (if other than the default of 102) # A decimal number. dsp.tcp.port: 102 # semicolon separated list of private RSA keys used for DTLS decryption; each list entry must be in the form of <ip>,<port>,<protocol>,<key_file_name><key_file_name> is the local file name of the RSA private key used by the specified server # A string. dtls.keys_list: # redirect dtls debug to file name; leave empty to disable debug, use "-" to redirect output to stderr # A string. dtls.debug_file: # Allow only packets with Major=0x03//Minor=0xFF as DVMRP V3 packets # TRUE or FALSE (case-insensitive). dvmrp.strict_v3: FALSE # Whether the eDonkey dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). edonkey.desegment: TRUE # Whether the EtherNet/IP dissector should desegment all messages spanning multiple TCP segments # TRUE or FALSE (case-insensitive). enip.desegment: TRUE # The UDP port on which ENTTEC packets will be sent # A decimal number. enttec.udp_port: 3333 # The TCP port on which ENTTEC packets will be sent # A decimal number. enttec.tcp_port: 3333 # The way DMX values are displayed # One of: Percent, Hexadecimal, Decimal # (case-insensitive). enttec.dmx_disp_chan_val_type: Percent # The way DMX channel numbers are displayed # One of: Hexadecimal, Decimal # (case-insensitive). enttec.dmx_disp_chan_nr_type: Hexadecimal # The number of columns for the DMX display # One of: 6, 10, 12, 16, 24 # (case-insensitive). enttec.dmx_disp_col_count: 16 # This is done only if the Decoding is not SET or the packet does not belong to a SA. Assumes a 12 byte auth (HMAC-SHA1-96/HMAC-MD5-96/AES-XCBC-MAC-96) and attempts decode based on the ethertype 13 bytes from packet end # TRUE or FALSE (case-insensitive). esp.enable_null_encryption_decode_heuristic: TRUE # Attempt to decode based on the SAD described hereafter. # TRUE or FALSE (case-insensitive). esp.enable_encryption_decode: TRUE # Attempt to Check ESP Authentication based on the SAD described hereafter. # TRUE or FALSE (case-insensitive). esp.enable_authentication_check: TRUE # SA identifier. Must have the form "Protocol|Source Address|Destination Adress|SPI". Example: "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more details. # A string. esp.sa_1: ipv4|*|192.168.0.1|* # Encryption algorithm # One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC, CAST5-CBC # (case-insensitive). esp.encryption_algorithm_1: NULL # Authentication algorithm # One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256-96, HMAC-MD5-96 [RFC2403], HMAC-RIPEMD160-96 [RFC2857], ANY 12-bytes of Authentication [No Checking] # (case-insensitive). esp.authentication_algorithm_1: NULL # Encryption key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.encryption_key_1: # Authentication key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.authentication_key_1: # SA identifier. Must have the form "Protocol|Source Address|Destination Adress|SPI". Example: "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more details. # A string. esp.sa_2: ipv4|*|192.168.0.3|* # Encryption algorithm # One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC, CAST5-CBC # (case-insensitive). esp.encryption_algorithm_2: TripleDES-CBC [RFC2451] # Authentication algorithm # One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256-96, HMAC-MD5-96 [RFC2403], HMAC-RIPEMD160-96 [RFC2857], ANY 12-bytes of Authentication [No Checking] # (case-insensitive). esp.authentication_algorithm_2: HMAC-SHA1-96 [RFC2404] # Encryption key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.encryption_key_2: 352145981234abc12ffffbc1 # Authentication key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.authentication_key_2: 5llll632abc1azefvc # SA identifier. Must have the form "Protocol|Source Address|Destination Adress|SPI". Example: "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more details. # A string. esp.sa_3: ipv4|*|192.168.0.4|* # Encryption algorithm # One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC, CAST5-CBC # (case-insensitive). esp.encryption_algorithm_3: AES-CBC [RFC3602] # Authentication algorithm # One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256-96, HMAC-MD5-96 [RFC2403], HMAC-RIPEMD160-96 [RFC2857], ANY 12-bytes of Authentication [No Checking] # (case-insensitive). esp.authentication_algorithm_3: HMAC-SHA1-96 [RFC2404] # Encryption key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.encryption_key_3: 1234abc12ffffbc1 # Authentication key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.authentication_key_3: 5llll632abc1azefvc # SA identifier. Must have the form "Protocol|Source Address|Destination Adress|SPI". Example: "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more details. # A string. esp.sa_4: ipv4|*|192.168.0.5|* # Encryption algorithm # One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC, CAST5-CBC # (case-insensitive). esp.encryption_algorithm_4: AES-CBC [RFC3602] # Authentication algorithm # One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256-96, HMAC-MD5-96 [RFC2403], HMAC-RIPEMD160-96 [RFC2857], ANY 12-bytes of Authentication [No Checking] # (case-insensitive). esp.authentication_algorithm_4: HMAC-SHA1-96 [RFC2404] # Encryption key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.encryption_key_4: 1234abc12ffffbc1gfthjgfd # Authentication key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.authentication_key_4: 5llll632abc1azefvc # SA identifier. Must have the form "Protocol|Source Address|Destination Adress|SPI". Example: "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more details. # A string. esp.sa_5: ipv4|*|192.168.0.6|* # Encryption algorithm # One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC, CAST5-CBC # (case-insensitive). esp.encryption_algorithm_5: AES-CBC [RFC3602] # Authentication algorithm # One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256-96, HMAC-MD5-96 [RFC2403], HMAC-RIPEMD160-96 [RFC2857], ANY 12-bytes of Authentication [No Checking] # (case-insensitive). esp.authentication_algorithm_5: HMAC-SHA1-96 [RFC2404] # Encryption key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.encryption_key_5: 1234abc12ffffbc1gfthjgfds456hjy7 # Authentication key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.authentication_key_5: 5llll632abc1azefvc # SA identifier. Must have the form "Protocol|Source Address|Destination Adress|SPI". Example: "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more details. # A string. esp.sa_6: ipv4|*|192.168.0.7|* # Encryption algorithm # One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC, CAST5-CBC # (case-insensitive). esp.encryption_algorithm_6: AES-CTR [RFC3686] # Authentication algorithm # One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256-96, HMAC-MD5-96 [RFC2403], HMAC-RIPEMD160-96 [RFC2857], ANY 12-bytes of Authentication [No Checking] # (case-insensitive). esp.authentication_algorithm_6: HMAC-MD5-96 [RFC2403] # Encryption key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.encryption_key_6: 12341234abc12ffffbc1 # Authentication key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.authentication_key_6: 5632abc1azefvc # SA identifier. Must have the form "Protocol|Source Address|Destination Adress|SPI". Example: "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more details. # A string. esp.sa_7: ipv4|*|192.168.0.8|* # Encryption algorithm # One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC, CAST5-CBC # (case-insensitive). esp.encryption_algorithm_7: DES-CBC [RFC2405] # Authentication algorithm # One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256-96, HMAC-MD5-96 [RFC2403], HMAC-RIPEMD160-96 [RFC2857], ANY 12-bytes of Authentication [No Checking] # (case-insensitive). esp.authentication_algorithm_7: HMAC-SHA1-96 [RFC2404] # Encryption key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.encryption_key_7: 5632abc1 # Authentication key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.authentication_key_7: 5632abc1azefvc # SA identifier. Must have the form "Protocol|Source Address|Destination Adress|SPI". Example: "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more details. # A string. esp.sa_8: ipv4|*|192.168.0.9|* # Encryption algorithm # One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC, CAST5-CBC # (case-insensitive). esp.encryption_algorithm_8: BLOWFISH-CBC [RFC2451] # Authentication algorithm # One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256-96, HMAC-MD5-96 [RFC2403], HMAC-RIPEMD160-96 [RFC2857], ANY 12-bytes of Authentication [No Checking] # (case-insensitive). esp.authentication_algorithm_8: HMAC-SHA1-96 [RFC2404] # Encryption key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.encryption_key_8: 00azdregrnytnytf # Authentication key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.authentication_key_8: ecuheznbevnbevabgj # SA identifier. Must have the form "Protocol|Source Address|Destination Adress|SPI". Example: "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more details. # A string. esp.sa_9: ipv4|*|192.168.0.10|* # Encryption algorithm # One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC, CAST5-CBC # (case-insensitive). esp.encryption_algorithm_9: CAST5-CBC # Authentication algorithm # One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256-96, HMAC-MD5-96 [RFC2403], HMAC-RIPEMD160-96 [RFC2857], ANY 12-bytes of Authentication [No Checking] # (case-insensitive). esp.authentication_algorithm_9: HMAC-SHA1-96 [RFC2404] # Encryption key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.encryption_key_9: 5632abcuyfyuf152 # Authentication key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.authentication_key_9: 5632abc1azefvc # SA identifier. Must have the form "Protocol|Source Address|Destination Adress|SPI". Example: "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more details. # A string. esp.sa_10: ipv4|*|192.168.0.11|* # Encryption algorithm # One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC, CAST5-CBC # (case-insensitive). esp.encryption_algorithm_10: TripleDES-CBC [RFC2451] # Authentication algorithm # One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256-96, HMAC-MD5-96 [RFC2403], HMAC-RIPEMD160-96 [RFC2857], ANY 12-bytes of Authentication [No Checking] # (case-insensitive). esp.authentication_algorithm_10: NULL # Encryption key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.encryption_key_10: 352145981234abc12ffffbc1 # Authentication key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.authentication_key_10: # SA identifier. Must have the form "Protocol|Source Address|Destination Adress|SPI". Example: "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more details. # A string. esp.sa_11: ipv4|*|192.168.0.12|* # Encryption algorithm # One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC, CAST5-CBC # (case-insensitive). esp.encryption_algorithm_11: TripleDES-CBC [RFC2451] # Authentication algorithm # One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256-96, HMAC-MD5-96 [RFC2403], HMAC-RIPEMD160-96 [RFC2857], ANY 12-bytes of Authentication [No Checking] # (case-insensitive). esp.authentication_algorithm_11: ANY 12-bytes of Authentication [No Checking] # Encryption key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.encryption_key_11: 352145981234abc12ffffbc1 # Authentication key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.authentication_key_11: # SA identifier. Must have the form "Protocol|Source Address|Destination Adress|SPI". Example: "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more details. # A string. esp.sa_12: ipv4|*|192.168.0.13|* # Encryption algorithm # One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC, CAST5-CBC # (case-insensitive). esp.encryption_algorithm_12: TripleDES-CBC [RFC2451] # Authentication algorithm # One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256-96, HMAC-MD5-96 [RFC2403], HMAC-RIPEMD160-96 [RFC2857], ANY 12-bytes of Authentication [No Checking] # (case-insensitive). esp.authentication_algorithm_12: HMAC-SHA1-96 [RFC2404] # Encryption key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.encryption_key_12: 5llll632abc1azefvc # Authentication key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.authentication_key_12: 5632lkn1azehgf # SA identifier. Must have the form "Protocol|Source Address|Destination Adress|SPI". Example: "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more details. # A string. esp.sa_13: ipv6|*|3ffe::2|* # Encryption algorithm # One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC, CAST5-CBC # (case-insensitive). esp.encryption_algorithm_13: BLOWFISH-CBC [RFC2451] # Authentication algorithm # One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256-96, HMAC-MD5-96 [RFC2403], HMAC-RIPEMD160-96 [RFC2857], ANY 12-bytes of Authentication [No Checking] # (case-insensitive). esp.authentication_algorithm_13: HMAC-SHA1-96 [RFC2404] # Encryption key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.encryption_key_13: 0xfecafecacafecafebbccbbccdadaffff # Authentication key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.authentication_key_13: 0x00fdabceff00aabb55412364d003219fffabc000 # SA identifier. Must have the form "Protocol|Source Address|Destination Adress|SPI". Example: "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more details. # A string. esp.sa_14: ipv6|*|3ffe::3|* # Encryption algorithm # One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC, CAST5-CBC # (case-insensitive). esp.encryption_algorithm_14: BLOWFISH-CBC [RFC2451] # Authentication algorithm # One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256-96, HMAC-MD5-96 [RFC2403], HMAC-RIPEMD160-96 [RFC2857], ANY 12-bytes of Authentication [No Checking] # (case-insensitive). esp.authentication_algorithm_14: HMAC-SHA1-96 [RFC2404] # Encryption key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.encryption_key_14: 0x0ecafecacafecafebbccbbccdadaffff # Authentication key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.authentication_key_14: 0x00fdabceff00aabb55412364d003219fffabc000 # SA identifier. Must have the form "Protocol|Source Address|Destination Adress|SPI". Example: "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more details. # A string. esp.sa_15: IPV4|*|190.0.0.4|* # Encryption algorithm # One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC, CAST5-CBC # (case-insensitive). esp.encryption_algorithm_15: TWOFISH-CBC # Authentication algorithm # One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256-96, HMAC-MD5-96 [RFC2403], HMAC-RIPEMD160-96 [RFC2857], ANY 12-bytes of Authentication [No Checking] # (case-insensitive). esp.authentication_algorithm_15: HMAC-SHA1-96 [RFC2404] # Encryption key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.encryption_key_15: twofishcbctestin # Authentication key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.authentication_key_15: hmacsha1authenticati # SA identifier. Must have the form "Protocol|Source Address|Destination Adress|SPI". Example: "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more details. # A string. esp.sa_16: IPV4|*|190.0.0.5|* # Encryption algorithm # One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC, CAST5-CBC # (case-insensitive). esp.encryption_algorithm_16: TWOFISH-CBC # Authentication algorithm # One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256-96, HMAC-MD5-96 [RFC2403], HMAC-RIPEMD160-96 [RFC2857], ANY 12-bytes of Authentication [No Checking] # (case-insensitive). esp.authentication_algorithm_16: HMAC-SHA1-96 [RFC2404] # Encryption key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.encryption_key_16: twofishcbctestintwofishcbctestin # Authentication key. May be ASCII or hexadecimal (if prepended with 0x).See the ESP Preferences page on the Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.authentication_key_16: hmacsha1authenticati # Whether packets should be interpreted as coming from CheckPoint FireWall-1 monitor file if they look as if they do # TRUE or FALSE (case-insensitive). eth.interpret_as_fw1_monitor: FALSE # Set TCP port 1 for etheric messages # A decimal number. etheric.tcp.port1: 1806 # Set TCP port 2 for etheric messages # A decimal number. etheric.tcp.port2: 10002 # Controls the display of the session's username in the info column. This is only displayed if the packet containing it was seen during this capture session. # TRUE or FALSE (case-insensitive). exec.info_show_username: TRUE # Controls the display of the command being run on the server by this session in the info column. This is only displayed if the packet containing it was seen during this capture session. # TRUE or FALSE (case-insensitive). exec.info_show_command: FALSE # If enabled, reassembly of multi-frame sequences is done # TRUE or FALSE (case-insensitive). fc.reassemble: TRUE # This is the size of non-last frames in a multi-frame sequence # A decimal number. fc.max_frame_size: 1024 # Whether the FCIP dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). fcip.desegment: TRUE # Port number used for FCIP # A decimal number. fcip.target_port: 3225 # Whether the FDDI dissector should add 3-byte padding to all captured FDDI packets (useful with e.g. Tru64 UNIX tcpdump) # TRUE or FALSE (case-insensitive). fddi.padding: FALSE # Encapsulation # One of: FRF 3.2/Cisco HDLC, GPRS Network Service, Raw Ethernet # (case-insensitive). fr.encap: FRF 3.2/Cisco HDLC # Show File Offset # TRUE or FALSE (case-insensitive). frame.show_file_off: FALSE # Treat all frames as DOCSIS Frames # TRUE or FALSE (case-insensitive). frame.force_docsis_encap: FALSE # Whether the FireWall-1 summary line should be shown in the protocol tree # TRUE or FALSE (case-insensitive). fw1.summary_in_tree: TRUE # Whether the Firewall-1 monitor file includes UUID information # TRUE or FALSE (case-insensitive). fw1.with_uuid: FALSE # Whether the interface list includes the chain position # TRUE or FALSE (case-insensitive). fw1.iflist_with_chain: FALSE # Whether the GIOP dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). giop.desegment_giop_messages: TRUE # File containing stringified IORs, one per line. # A string. giop.ior_txt: IOR.txt # Whether the Gryphon dissector should desegment all messages spanning multiple TCP segments # TRUE or FALSE (case-insensitive). gryphon.desegment: TRUE # Always decode a GSM Short Message as Connectionless WSP if a Port Number Information Element is present in the SMS User Data Header. # TRUE or FALSE (case-insensitive). gsm-sms-ud.port_number_udh_means_wsp: FALSE # Always try subdissection of the 1st fragment of a fragmented GSM Short Message. If reassembly is possible, the Short Message may be dissected twice (once as a short frame, once in its entirety). # TRUE or FALSE (case-insensitive). gsm-sms-ud.try_dissect_1st_fragment: FALSE # Prevent sub-dissectors from replacing column data with their own. Eg. Prevent WSP dissector overwriting SMPP information. # TRUE or FALSE (case-insensitive). gsm-sms-ud.prevent_dissectors_chg_cols: FALSE # TCAP Subsystem numbers used for GSM MAP # A string denoting an positive integer range (e.g., "1-20,30-40"). gsm_map.tcap.ssn: 6-9 # Forces the decoding to decode according to older incompatable gsm map version # TRUE or FALSE (case-insensitive). gsm_map.old_gsm_map_version: FALSE # Whether or not to try reassembling GSSAPI blobs spanning multiple (SMB/SessionSetup) PDUs # TRUE or FALSE (case-insensitive). gss-api.gssapi_reassembly: TRUE # GTPv0 port (default 3386) # A decimal number. gtp.v0_port: 3386 # GTPv1 control plane port (default 2123) # A decimal number. gtp.v1c_port: 2123 # GTPv1 user plane port (default 2152) # A decimal number. gtp.v1u_port: 2152 # Dissect T-PDU # TRUE or FALSE (case-insensitive). gtp.dissect_tpdu: TRUE # GTP ETSI order # TRUE or FALSE (case-insensitive). gtp.check_etsi: FALSE # Dissect GTP over TCP # TRUE or FALSE (case-insensitive). gtp.dissect_gtp_over_tcp: TRUE # H.225 Server TLS Port # A decimal number. h225.tls.port: 1300 # Whether the H.225 dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). h225.reassembly: TRUE # ON - display tunnelled H.245 inside H.225.0 tree, OFF - display tunnelled H.245 in root tree after H.225.0 # TRUE or FALSE (case-insensitive). h225.h245_in_tree: TRUE # ON - display tunnelled protocols inside H.225.0 tree, OFF - display tunnelled protocols in root tree after H.225.0 # TRUE or FALSE (case-insensitive). h225.tp_in_tree: TRUE # Whether the H.245 dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). h245.reassembly: TRUE # Whether the dissector should show short names or the long names from the standard # TRUE or FALSE (case-insensitive). h245.shorttypes: FALSE # Whether persistent context information is to be kept # TRUE or FALSE (case-insensitive). h248.ctx_info: FALSE # Port to be decoded as h248 # A decimal number. h248.udp_port: 0 # Whether the HTTP dissector should reassemble headers of a request spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). http.desegment_headers: TRUE # Whether the HTTP dissector should use the "Content-length:" value, if present, to reassemble the body of a request spanning multiple TCP segments, and reassemble chunked data spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). http.desegment_body: TRUE # Whether to reassemble bodies of entities that are transfered using the "Transfer-Encoding: chunked" method # TRUE or FALSE (case-insensitive). http.dechunk_body: TRUE # Whether to uncompress entity bodies that are compressed using "Content-Encoding: " # TRUE or FALSE (case-insensitive). http.decompress_body: TRUE # Decode packets on this TCP port as HTTP # A decimal number. http.tcp_alternate_port: 0 # Whether the 128th and following bytes of the ICMP payload should be decoded as MPLS extensions or as a portion of the original packet # TRUE or FALSE (case-insensitive). icmp.favor_icmp_mpls: FALSE # Whether the iFCP dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). ifcp.desegment: TRUE # TCAP Subsystem numbers used for INAP # A string denoting an positive integer range (e.g., "1-20,30-40"). inap.ssn: 106,241 # Whether the IPv4 type-of-service field should be decoded as a Differentiated Services field (see RFC2474/RFC2475) # TRUE or FALSE (case-insensitive). ip.decode_tos_as_diffserv: TRUE # Whether fragmented IP datagrams should be reassembled # TRUE or FALSE (case-insensitive). ip.defragment: TRUE # Whether the IP summary line should be shown in the protocol tree # TRUE or FALSE (case-insensitive). ip.summary_in_tree: TRUE # Whether to validate the IP checksum # TRUE or FALSE (case-insensitive). ip.check_checksum: TRUE # Whether the IPDC dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). ipdc.desegment_ipdc_messages: TRUE # Set the IPDC monitoring port # A decimal number. ipdc.tcp.port: 6668 # Whether fragmented IPv6 datagrams should be reassembled # TRUE or FALSE (case-insensitive). ipv6.defragment: TRUE # The iSCSI protocol version # One of: Draft 08, Draft 09, Draft 11, Draft 12, Draft 13 # (case-insensitive). iscsi.protocol_version: Draft 13 # Whether the iSCSI dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). iscsi.desegment_iscsi_messages: TRUE # When enabled, packets that appear bogus are ignored # TRUE or FALSE (case-insensitive). iscsi.bogus_pdu_filter: TRUE # Ignore packets that haven't set the F bit when they should have # TRUE or FALSE (case-insensitive). iscsi.demand_good_f_bit: FALSE # Treat packets whose data segment length is greater than this value as bogus # A decimal number. iscsi.bogus_pdu_max_data_len: 262144 # Port number of iSCSI target # A decimal number. iscsi.target_port: 3260 # When enabled, pdus are assumed to contain a data digest # TRUE or FALSE (case-insensitive). iscsi.enable_data_digests: FALSE # When enabled, data digests are assumed to be CRC32C # TRUE or FALSE (case-insensitive). iscsi.data_digest_is_crc32c: TRUE # The size of a data digest (bytes) # A decimal number. iscsi.data_digest_size: 4 # Whether the iSNS dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). isns.desegment: TRUE # Show the CIC value (in addition to the message type) in the Info column # TRUE or FALSE (case-insensitive). isup.show_cic_in_info: TRUE # Whether APM messages datagrams should be reassembled # TRUE or FALSE (case-insensitive). isup.defragment_apm: TRUE # Set TCP port for ISUP Thin messages # A decimal number. isup_thin.tcp.port: 0 # Support Implementers Guide (version 01) # TRUE or FALSE (case-insensitive). iua.support_ig: FALSE # Whether IuUP Payload bits should be dissected # TRUE or FALSE (case-insensitive). iuup.dissect_payload: FALSE # The payload contains a two byte pseudoheader indicating direction and circuit_id # TRUE or FALSE (case-insensitive). iuup.two_byte_pseudoheader: FALSE # The dynamic payload type which will be interpreted as IuUP # A decimal number. iuup.dynamic.payload.type: 0 # Whether the JXTA dissector should reassemble messages spanning multiple UDP/HTTP/TCP segments. To use this option you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings and enable "Reassemble fragmented IP datagrams" in the IP protocol settings. # TRUE or FALSE (case-insensitive). jxta.desegment: TRUE # Enable to inspect UDP datagrams for JXTA messages. # TRUE or FALSE (case-insensitive). jxta.udp.heuristic: TRUE # Enable to inspect TCP connections for JXTA conversations. # TRUE or FALSE (case-insensitive). jxta.tcp.heuristic: TRUE # Enable to inspect SCTP connections for JXTA conversations. # TRUE or FALSE (case-insensitive). jxta.sctp.heuristic: FALSE # K12 module configuration filename # A string. k12.config: # Whether the Kerberos dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). kerberos.desegment: TRUE # Whether the dissector should try to decrypt encrypted Kerberos blobs. This requires that the proper keytab file is installed as well. # TRUE or FALSE (case-insensitive). kerberos.decrypt: FALSE # The keytab file containing all the secrets # A string. kerberos.file: insert filename here # Set the port for Kismet Client/Server messages (if other than the default of 2501) # A decimal number. kismet.tcp.port: 2501 # Whether the Kpasswd dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). kpasswd.desegment: TRUE # L2TPv3 Cookie Size # One of: None, 4 Byte Cookie, 8 Byte Cookie # (case-insensitive). l2tp.cookie_size: 4 Byte Cookie # L2TPv3 L2-Specific Sublayer # One of: None, Default L2-Specific, ATM-Specific # (case-insensitive). l2tp.l2_specific: Default L2-Specific # Decode L2TPv3 packet contents as this protocol # One of: Ethernet, Cisco HDLC, Frame Relay, PPP, IP, MPLS, AAL5 # (case-insensitive). l2tp.protocol: Cisco HDLC # Whether the Laplink dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). laplink.desegment_laplink_over_tcp: TRUE # Whether the LDAP dissector should reassemble messages spanning multiple TCP segments.To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). ldap.desegment_ldap_messages: TRUE # Set the port for LDAP operations # A decimal number. ldap.tcp.port: 389 # Set the TCP port for messages (if other than the default of 646) # A decimal number. ldp.tcp.port: 646 # Set the UDP port for messages (if other than the default of 646) # A decimal number. ldp.udp.port: 646 # Whether the LDP dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). ldp.desegment_ldp_messages: TRUE # Set UDP port for LGE Monitor messages # A decimal number. lge_monitor.udp.port: 0 # Whether to autodetect the cipher bit (because it might be set on unciphered data) # TRUE or FALSE (case-insensitive). llcgprs.autodetect_cipher_bit: FALSE # Dissect this ethertype as LLT traffic in addition to the default, 0xCAFE. # A hexadecimal number. llt.alternate_ethertype: 0 # UDP port number to use for LMP # A decimal number. lmp.udp_port: 701 # Set the TCP or UDP port for Pegasus LSC messages # A decimal number. lsc.port: 0 # Swap frame control bytes (needed for some APs # TRUE or FALSE (case-insensitive). lwapp.swap_fc: FALSE # Set the UDP port for lwres daemon(if other than the default of 921) # A decimal number. lwres.udp.lwres_port: 921 # Version used by Wireshark # One of: Internet Draft version 2, Internet Draft version 8, Internet Draft version 12 # (case-insensitive). m2pa.version: Internet Draft version 12 # Set the port for M2PA messages (Default of 3565) # A decimal number. m2pa.port: 3565 # The value of the parameter tag for protocol data 1 # One of: 0x000e (Draft 7), 0x0300 (RFC3331) # (case-insensitive). m2ua.protocol_data_1_tag: 0x0300 (RFC3331) # Version used by Wireshark # One of: Internet Draft version 5, Internet Draft version 6, Internet Draft version 7, RFC 3332 # (case-insensitive). m3ua.version: RFC 3332 # Whether the dissector should decrypt MAPI PDUs # TRUE or FALSE (case-insensitive). mapi.decrypt: FALSE # The name of the file containing the mate module's configuration # A string. mate.config: # A frame is considered for decoding as MDSHDR if either ethertype is 0xFCFC or zero. Turn this flag off if you you don't want ethertype zero to be decoded as MDSHDR. This might be useful to avoid problems with test frames. # TRUE or FALSE (case-insensitive). mdshdr.decode_if_etype_zero: TRUE # Set the TCP port for MEGACO text messages # A decimal number. megaco.tcp.txt_port: 2944 # Set the UDP port for MEGACO text messages # A decimal number. megaco.udp.txt_port: 2944 # Specifies that the raw text of the MEGACO message should be displayed instead of (or in addition to) the dissection tree # TRUE or FALSE (case-insensitive). megaco.display_raw_text: TRUE # Specifies that the dissection tree of the MEGACO message should be displayed instead of (or in addition to) the raw text # TRUE or FALSE (case-insensitive). megaco.display_dissect_tree: TRUE # Set the UDP port for gateway messages (if other than the default of 2427) # A decimal number. mgcp.tcp.gateway_port: 2427 # Set the TCP port for gateway messages (if other than the default of 2427) # A decimal number. mgcp.udp.gateway_port: 2427 # Set the TCP port for callagent messages (if other than the default of 2727) # A decimal number. mgcp.tcp.callagent_port: 2727 # Set the UDP port for callagent messages (if other than the default of 2727) # A decimal number. mgcp.udp.callagent_port: 2727 # Specifies that the raw text of the MGCP message should be displayed instead of (or in addition to) the dissection tree # TRUE or FALSE (case-insensitive). mgcp.display_raw_text: FALSE # Display the number of MGCP messages found in a packet in the protocol column. # TRUE or FALSE (case-insensitive). mgcp.display_mgcp_message_count: FALSE # Display multipart bodies with no media type dissector as raw text (may cause problems with binary data). # TRUE or FALSE (case-insensitive). mime_multipart.display_unknown_body_as_text: FALSE # Set the UDP port for messages (if other than the default of 3503) # A decimal number. mpls-echo.udp.port: 3503 # Whether the MQ dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). mq.desegment: TRUE # Whether the MQ dissector should reassemble MQ messages spanning multiple TSH segments # TRUE or FALSE (case-insensitive). mq.reassembly: TRUE # Specifies that the raw text of the MSRP message should be displayed in addition to the dissection tree # TRUE or FALSE (case-insensitive). msrp.display_raw_text: TRUE # Where available, show which protocol and frame caused this MSRP stream to be created # TRUE or FALSE (case-insensitive). msrp.show_setup_info: TRUE # Whether the MTP2 dissector should use extended sequence numbers as described in Q.703, Annex A as a default. # TRUE or FALSE (case-insensitive). mtp2.use_extended_sequence_numbers: FALSE # The SS7 standard used in MTP3 packets # One of: ITU, ANSI, Chinese ITU, Japan # (case-insensitive). mtp3.standard: ITU # The structure of the pointcodes in ITU networks # One of: Unstructured, 3-8-3, 4-3-4-3 # (case-insensitive). mtp3.itu_pc_structure: Unstructured # The structure of the pointcodes in Japan networks # One of: Unstructured, 7-4-5, 3-4-4-5 # (case-insensitive). mtp3.japan_pc_structure: Unstructured # Use 5-bit (instead of 8-bit) SLS in ANSI MTP3 packets # TRUE or FALSE (case-insensitive). mtp3.ansi_5_bit_sls: FALSE # Use 5-bit (instead of 4-bit) SLS in Japan MTP3 packets # TRUE or FALSE (case-insensitive). mtp3.japan_5_bit_sls: FALSE # Format for point code in the address columns # One of: Decimal, Hexadecimal, NI-Decimal, NI-Hexadecimal, Dashed # (case-insensitive). mtp3.addr_format: Dashed # Whether the MySQL dissector should reassemble MySQL buffers spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). mysql.desegment_buffers: TRUE # Whether the NBD dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings # TRUE or FALSE (case-insensitive). nbd.desegment_nbd_messages: TRUE # Whether the NBSS dissector should reassemble packets spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). nbss.desegment_nbss_commands: TRUE # Whether the NCP dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). ncp.desegment: TRUE # Whether the NCP dissector should defragment NDS messages spanning multiple reply packets. # TRUE or FALSE (case-insensitive). ncp.defragment_nds: TRUE # Dissect the NetWare Information Structure as NetWare 5.x or higher or as older NetWare 3.x. # TRUE or FALSE (case-insensitive). ncp.newstyle: TRUE # Whether the NCP dissector should echo the NDS Entry ID to name resolves to the expert table. # TRUE or FALSE (case-insensitive). ncp.eid_2_expert: TRUE # Whether the NCP dissector should echo NCP connection information to the expert table. # TRUE or FALSE (case-insensitive). ncp.connection_2_expert: FALSE # Whether the NCP dissector should echo protocol errors to the expert table. # TRUE or FALSE (case-insensitive). ncp.error_2_expert: TRUE # Whether the NCP dissector should echo server information to the expert table. # TRUE or FALSE (case-insensitive). ncp.server_2_expert: TRUE # Whether the NCP dissector should echo file open/close/oplock information to the expert table. # TRUE or FALSE (case-insensitive). ncp.file_2_expert: FALSE # Version of the NDMP protocol to assume if the version can not be automatically detected from the capture # One of: Version 2, Version 3, Version 4, Version 5 # (case-insensitive). ndmp.default_protocol_version: Version 4 # Whether the NDMP dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). ndmp.desegment: TRUE # Whether the dissector should defragment NDMP messages spanning multiple packets. # TRUE or FALSE (case-insensitive). ndmp.defragment: TRUE # Whether the NDPS dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). ndps.desegment_tcp: TRUE # Whether the NDPS dissector should reassemble fragmented NDPS messages spanning multiple SPX packets # TRUE or FALSE (case-insensitive). ndps.desegment_spx: TRUE # Whether or not the NDPS dissector should show object id's and other details # TRUE or FALSE (case-insensitive). ndps.show_oid: FALSE # Whether the NetBIOS dissector should defragment messages spanning multiple frames # TRUE or FALSE (case-insensitive). netbios.defragment: TRUE # The TCP port on which Monotone Netsync packets will be sent # A decimal number. netsync.tcp_port: 5253 # Whether the Netsync dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). netsync.desegment_netsync_messages: TRUE # Always dissect this port's traffic as newmail notifications. Additional ports will be dynamically registered as they are seen in MAPI register push notification packets. # A decimal number. newmail.default_port: 0 # Whether the dissector should snoop the FH to filename mappings by looking inside certain packets # TRUE or FALSE (case-insensitive). nfs.file_name_snooping: FALSE # Whether the dissector should snoop the full pathname for files for matching FH's # TRUE or FALSE (case-insensitive). nfs.file_full_name_snooping: FALSE # With this option display filters for nfs fhandles (nfs.fh.{name|full_name|hash}) will find both the request and response packets for a RPC call, even if the actual fhandle is only present in one of the packets # TRUE or FALSE (case-insensitive). nfs.fhandle_find_both_reqrep: FALSE # Decode all NFS file handles as if they are of this type # One of: Unknown, SVR4, KNFSD_LE, NFSD_LE, KNFSD_NEW, ONTAP_V3, ONTAP_V4, ONTAP_GX_V3 # (case-insensitive). nfs.default_fhandle_type: Unknown # Whether the dissector will track and match MSG and RES calls for asynchronous NLM # TRUE or FALSE (case-insensitive). nlm.msg_res_matching: FALSE # Check this to decode NORM traffic between clients # TRUE or FALSE (case-insensitive). norm.heuristic_norm: FALSE # Set the first UDP port # A decimal number. nsip.udp.port1: 2157 # Set the second UDP port # A decimal number. nsip.udp.port2: 19999 # NT Password (used to decrypt payloads) # A string. ntlmssp.nt_password: # Whether the OPSI dissector should desegment all messages spanning multiple TCP segments # TRUE or FALSE (case-insensitive). opsi.desegment_opsi_messages: TRUE # TCP port for OSI over TPKT # A decimal number. osi.tpkt_port: 8473 # Whether segmented TPKT datagrams should be reassembled # TRUE or FALSE (case-insensitive). osi.tpkt_reassemble: FALSE # Reassemble fragmented P_Mul packets # TRUE or FALSE (case-insensitive). p_mul.reassemble: TRUE # Type of content in Data_PDU # One of: No decoding, Compressed Data Type # (case-insensitive). p_mul.decode: No decoding # Used for transmission of Request_PDUs, Reject_PDUs and Release_PDUs betweenthe transmitters # A decimal number. p_mul.tport: 2751 # Used for transmission of Announce_PDUs to inform the receiver(s) # A decimal number. p_mul.rport: 2752 # Used for the data traffic from the transmitters to the receiver(s) # A decimal number. p_mul.dport: 2753 # Used for the data traffic from the receiver(s) to the transmitter # A decimal number. p_mul.aport: 2754 # The UDP port on which Packet Cable Lawful Intercept packets will be sent # A decimal number. pcli.udp_port: 9000 # Whether the dissector should put the internal PER data in the tree or if it should hide it # TRUE or FALSE (case-insensitive). per.display_internal_per_fields: FALSE # Whether to check the validity of the PGM checksum # TRUE or FALSE (case-insensitive). pgm.check_checksum: TRUE # PGM Encap is PGM packets encapsulated in UDP packets (Note: This option is off, i.e. port is 0, by default) # A decimal number. pgm.udp.encap_ucast_port: 0 # PGM Encap is PGM packets encapsulated in UDP packets (Note: This option is off, i.e. port is 0, by default) # A decimal number. pgm.udp.encap_mcast_port: 0 # Set the port for PGSQL messages (if different from the default of 5432) # A decimal number. pgsql.tcp.port: 5432 # Decode packets on this UDP port as PacketCable CCC # A decimal number. pkt_ccc.udp_port: 0 # Whether the PN-RT summary line should be shown in the protocol tree # TRUE or FALSE (case-insensitive). pn_rt.summary_in_tree: TRUE # The type of PPP frame checksum (none, 16-bit, 32-bit) # One of: None, 16-Bit, 32-Bit # (case-insensitive). ppp.fcs_type: None # Whether Van Jacobson-compressed PPP frames should be decompressed # TRUE or FALSE (case-insensitive). ppp.decompress_vj: TRUE # Default Protocol ID to be used for PPPMuxCP # A hexadecimal number. ppp.default_proto_id: 0 # Show values of tags and lengths of data fields # TRUE or FALSE (case-insensitive). pppoed.show_tags_and_lengths: FALSE # Whether the PVFS dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). pvfs.desegment: TRUE # Whether the Q.931 dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). q931.desegment_h323_messages: TRUE # Reassemble segmented Q.931 messages (Q.931 - Annex H) # TRUE or FALSE (case-insensitive). q931.reassembly: TRUE # Set the UDP port for the Quake Server # A decimal number. quake.udp.port: 26000 # Set the UDP port for the Quake II Server # A decimal number. quake2.udp.port: 27910 # Set the UDP base port for the Quake III Arena Server # A decimal number. quake3.udp.arena_port: 27960 # Set the UDP base port for the Quake III Arena Master Server # A decimal number. quake3.udp.master_port: 27950 # Set the UDP port for the QuakeWorld Server # A decimal number. quakeworld.udp.port: 27500 # Shared secret used to decode User Passwords # A string. radius.shared_secret: # Whether to add or not to the tree the AVP's payload length # TRUE or FALSE (case-insensitive). radius.show_length: FALSE # An alternate UDP port to decode as RADIUS # A decimal number. radius.alternate_port: 0 # Where available, show which protocol and frame caused this RDT stream to be created # TRUE or FALSE (case-insensitive). rdt.show_setup_info: TRUE # Register a client UDP port for RDT traffic # TRUE or FALSE (case-insensitive). rdt.register_udp_port: FALSE # Set the UDP port for clients # A decimal number. rdt.default_udp_port: 6970 # Whether the RPC dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). rpc.desegment_rpc_over_tcp: TRUE # Whether the RPC dissector should defragment RPC-over-TCP messages. # TRUE or FALSE (case-insensitive). rpc.defragment_rpc_over_tcp: TRUE # Set the maximum size of RPCoverTCP PDUs. If the size field of the record marker is larger than this value it will not be considered a valid RPC PDU. # A decimal number. rpc.max_tcp_pdu_size: 262144 # Whether the RPC dissector should attempt to dissect RPC PDUs containing programs that are not known to Wireshark. This will make the heuristics significantly weaker and elevate the risk for falsely identifying and misdissecting packets significantly. # TRUE or FALSE (case-insensitive). rpc.dissect_unknown_programs: FALSE # Whether the RPC dissector should attempt to locate RPC PDU boundaries when initial fragment alignment is not known. This may cause false positives, or slow operation. # TRUE or FALSE (case-insensitive). rpc.find_fragment_start: FALSE # Specifies whether Wireshark should decode and display sub-messages within BUNDLE messages # TRUE or FALSE (case-insensitive). rsvp.process_bundle: TRUE # Set the TCP port for RSYNC messages # A decimal number. rsync.tcp_port: 873 # Whether the RSYNC dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). rsync.desegment: TRUE # Where available, show which protocol and frame caused this RTCP stream to be created # TRUE or FALSE (case-insensitive). rtcp.show_setup_info: TRUE # If call control SIP/H.323/RTSP/.. messages are missing in the trace, RTCP isn't decoded without this # TRUE or FALSE (case-insensitive). rtcp.heuristic_rtcp: FALSE # Try to work out network delay by comparing time between packets as captured and delays as seen by endpoint # TRUE or FALSE (case-insensitive). rtcp.show_roundtrip_calculation: FALSE # Minimum calculated roundtrip delay time in milliseconds that should be reported # A decimal number. rtcp.roundtrip_min_threshhold: 10 # Where available, show which protocol and frame caused this RTP stream to be created # TRUE or FALSE (case-insensitive). rtp.show_setup_info: TRUE # If call control SIP/H323/RTSP/.. messages are missing in the trace, RTP isn't decoded without this # TRUE or FALSE (case-insensitive). rtp.heuristic_rtp: FALSE # If an RTP version 0 packet is encountered, it can be treated as an invalid packet, a STUN packet, or a T.38 packet # One of: Invalid RTP packets, STUN packets, T.38 packets # (case-insensitive). rtp.version0_type: Invalid RTP packets # Payload Type for RFC2198 Redundant Audio Data # A decimal number. rtp.rfc2198_payload_type: 99 # This is the value of the Payload Type fieldthat specifies RTP Events # A decimal number. rtpevent.event_payload_type_value: 101 # Set the TCP port for RTSP messages # A decimal number. rtsp.tcp.port: 554 # Set the alternate TCP port for RTSP messages # A decimal number. rtsp.tcp.alternate_port: 8554 # Whether the RTSP dissector should reassemble headers of a request spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). rtsp.desegment_headers: TRUE # Whether the RTSP dissector should use the "Content-length:" value to desegment the body of a request spanning multiple TCP segments # TRUE or FALSE (case-insensitive). rtsp.desegment_body: TRUE # Set the UDP port for Reliable UDP traffic # A decimal number. rudp.udp.port: 0 # Whether the S5066 dissector should reassemble PDUs spanning multiple TCP segments. The default is to use reassembly. # TRUE or FALSE (case-insensitive). s5066.desegment_pdus: TRUE # Whether the S5066 dissector should dissect editon 1 of the STANAG. This editon was never formally approved and is very rare. The common edition is editon 1.2. # TRUE or FALSE (case-insensitive). s5066.edition_one: FALSE # Set the port for STANAG 5066. (If other than the default 5066. This number is registered with IANA.) # A decimal number. s5066.tcp.port: 5066 # NT Password (used to verify password changes) # A string. samr.nt_password: # The source point code (usually MSC) (to determine whether message is uplink or downlink) # A hexadecimal number. sccp.source_pc: 0 # Show parameter length in the protocol tree # TRUE or FALSE (case-insensitive). sccp.show_length: FALSE # Whether XUDT messages dshould be reassembled # TRUE or FALSE (case-insensitive). sccp.defragment_xudt: TRUE # When Target Cannot Be Identified, Decode SCSI Messages As # One of: Block Device, Sequential Device, Object Based Storage Device, Medium Changer Device, Multimedia Device # (case-insensitive). scsi.decode_scsi_messages_as: Block Device # Whether fragmented SCSI DATA IN/OUT transfers should be reassembled # TRUE or FALSE (case-insensitive). scsi.defragment: FALSE # Show source and destination port numbers in the protocol tree # TRUE or FALSE (case-insensitive). sctp.show_port_numbers_in_tree: TRUE # The type of checksum used in SCTP packets # One of: None, Adler 32, CRC 32c, Automatic # (case-insensitive). sctp.checksum: CRC 32c # Show always SCTP control chunks in the Info column # TRUE or FALSE (case-insensitive). sctp.show_always_control_chunks: TRUE # Try to decode a packet using an heuristic sub-dissector before using a sub-dissector registered to a specific port or PPI # TRUE or FALSE (case-insensitive). sctp.try_heuristic_first: FALSE # Specifies that RTP/RTCP/T.38/MSRP/etc streams are decoded based upon port numbers found in SIP/SDP payload # TRUE or FALSE (case-insensitive). sdp.establish_conversation: TRUE # Set UDP port 1 for SigComp messages # A decimal number. sigcomp.udp.port: 5555 # Set UDP port 2 for SigComp messages # A decimal number. sigcomp.udp.port2: 6666 # Set TCP port 1 for SigComp messages # A decimal number. sigcomp.tcp.port: 5555 # Set TCP port 2 for SigComp messages # A decimal number. sigcomp.tcp.port2: 6666 # Preference whether to Dissect the UDVM code or not # TRUE or FALSE (case-insensitive). sigcomp.display.udvm.code: TRUE # preference whether to display the bytecode in UDVM operands or not # TRUE or FALSE (case-insensitive). sigcomp.display.bytecode: FALSE # preference whether to decompress message or not # TRUE or FALSE (case-insensitive). sigcomp.decomp.msg: TRUE # preference whether to display the decompressed message as raw text or not # TRUE or FALSE (case-insensitive). sigcomp.display.decomp.msg.as.txt: FALSE # 0 = UDVM executes silently, then increasing detail about execution of UDVM instructions, Warning! CPU intense at high detail # One of: No-Printout, Low-detail, medium-detail, High-detail # (case-insensitive). sigcomp.show.udvm.execution: No-Printout # Specifies that the raw text of the SIP message should be displayed in addition to the dissection tree # TRUE or FALSE (case-insensitive). sip.display_raw_text: FALSE # If enabled, only SIP/2.0 traffic will be dissected as SIP. Disable it to allow SIP traffic with a different version to be dissected as SIP. # TRUE or FALSE (case-insensitive). sip.strict_sip_version: TRUE # Whether the SIP dissector should reassemble headers of a request spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). sip.desegment_headers: TRUE # Whether the SIP dissector should use the "Content-length:" value, if present, to reassemble the body of a request spanning multiple TCP segments, and reassemble chunked data spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). sip.desegment_body: TRUE # Whether the SCCP dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). skinny.desegment: TRUE # Whether the SoulSeek dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). slsk.desegment: TRUE # Whether the SoulSeek dissector should decompress all zlib compressed packets inside messages # TRUE or FALSE (case-insensitive). slsk.decompress: TRUE # Whether the dissector should reassemble the payload of SMB Transaction commands spanning multiple SMB PDUs # TRUE or FALSE (case-insensitive). smb.trans_reassembly: TRUE # Whether the dissector should reassemble DCERPC over SMB commands # TRUE or FALSE (case-insensitive). smb.dcerpc_reassembly: TRUE # Whether the dissector should snoop SMB and related CIFS protocols to discover and display Names associated with SIDs # TRUE or FALSE (case-insensitive). smb.sid_name_snooping: FALSE # Whether the SMPP dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). smpp.reassemble_smpp_over_tcp: TRUE # Whether the SMTP dissector should reassemble command and response lines spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). smtp.desegment_lines: TRUE # Whether fragmented BIUs should be reassembled # TRUE or FALSE (case-insensitive). sna.defragment: TRUE # Whether the SNMP OID should be shown in the info column # TRUE or FALSE (case-insensitive). snmp.display_oid: TRUE # List of MIB modules to load (the list is set to environment variable MIBS if the variable is not already set)The list must be separated by colons (:) on non-Windows systems and semicolons (;) on Windows systems # A string. snmp.mib_modules: IP-MIB:IF-MIB:TCP-MIB:UDP-MIB:SNMPv2-MIB:RFC1213-MIB:UCD-SNMP-MIB # Whether the SNMP dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). snmp.desegment: TRUE # ON - display dissected variables inside SNMP tree, OFF - display dissected variables in root tree after SNMP # TRUE or FALSE (case-insensitive). snmp.var_in_tree: TRUE # Whether the SRVLOC dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). srvloc.desegment_tcp: TRUE # Set the UDP port for SSCOP messages encapsulated in UDP (0 to disable) # A string denoting an positive integer range (e.g., "1-20,30-40"). sscop.udp.ports: # SSCOP payload (dissector to call on SSCOP payload) # One of: Data (no further dissection), Q.2931, SSCF-NNI (MTP3-b) # (case-insensitive). sscop.payload: Q.2931 # Whether the SSH dissector should reassemble SSH buffers spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). ssh.desegment_buffers: TRUE # Whether the SSL dissector should reassemble SSL records spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). ssl.desegment_ssl_records: TRUE # Whether the SSL dissector should reassemble SSL Application Data spanning multiple SSL records. # TRUE or FALSE (case-insensitive). ssl.desegment_ssl_application_data: TRUE # Semicolon-separated list of private RSA keys used for SSL decryption; each list entry must be in the form of <ip>,<port>,<protocol>,<key_file_name>. <key_file_name> is the local file name of the RSA private key used by the specified server (or name of the file containing such a list) # A string. ssl.keys_list: # redirect ssl debug to file name; leave empty to disable debug, use "-" to redirect output to stderr # A string. ssl.debug_file: # Version used by Wireshark # One of: Internet Draft version 08, RFC 3868 # (case-insensitive). sua.version: RFC 3868 # Whether the T.38 dissector should decode using the Pre-Corrigendum T.38 ASN.1 specification (1998). # TRUE or FALSE (case-insensitive). t38.use_pre_corrigendum_asn1_specification: TRUE # Whether a UDP packet that looks like RTP version 2 packet will be dissected as RTP packet or T.38 packet. If enabled there is a risk that T.38 UDPTL packets with sequence number higher than 32767 may be dissected as RTP. # TRUE or FALSE (case-insensitive). t38.dissect_possible_rtpv2_packets_as_rtp: FALSE # Set the TCP port for T.38 messages # A decimal number. t38.tcp.port: 6004 # Set the UDP port for T.38 messages # A decimal number. t38.udp.port: 6004 # Whether the dissector should reassemble T.38 PDUs spanning multiple TCP segments when TPKT is used over TCP. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). t38.reassembly: TRUE # Whether T.38 is used with TPKT for TCP # One of: Never, Always, Maybe # (case-insensitive). t38.tpkt_usage: Maybe # Where available, show which protocol and frame caused this T.38 stream to be created # TRUE or FALSE (case-insensitive). t38.show_setup_info: TRUE # TACACS+ Encryption Key # A string. tacplus.key: # Whether the TALI dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). tali.reassemble: TRUE # SCCP (and SUA) SSNs to decode as TCAP # A string denoting an positive integer range (e.g., "1-20,30-40"). tcap.ssn: # Activate the analyse for Response Time # TRUE or FALSE (case-insensitive). tcap.srt: FALSE # Statistics for Response Time # TRUE or FALSE (case-insensitive). tcap.persistentsrt: FALSE # Maximal delay for message repetion # A decimal number. tcap.repetitiontimeout: 10 # Maximal delay for message lost # A decimal number. tcap.losttimeout: 30 # Whether the TCP summary line should be shown in the protocol tree # TRUE or FALSE (case-insensitive). tcp.summary_in_tree: TRUE # Whether to validate the TCP checksum # TRUE or FALSE (case-insensitive). tcp.check_checksum: TRUE # Whether subdissector can request TCP streams to be reassembled # TRUE or FALSE (case-insensitive). tcp.desegment_tcp_streams: TRUE # Make the TCP dissector analyze TCP sequence numbers to find and flag segment retransmissions, missing segments and RTT # TRUE or FALSE (case-insensitive). tcp.analyze_sequence_numbers: TRUE # Make the TCP dissector use relative sequence numbers instead of absolute ones. To use this option you must also enable "Analyze TCP sequence numbers". This option will also try to track and adjust the window field according to any TCP window scaling options seen. # TRUE or FALSE (case-insensitive). tcp.relative_sequence_numbers: TRUE # Try to decode a packet using an heuristic sub-dissector before using a sub-dissector registered to a specific port # TRUE or FALSE (case-insensitive). tcp.try_heuristic_first: FALSE # Whether the TDS dissector should reassemble TDS buffers spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). tds.desegment_buffers: TRUE # Whether the TDS dissector should defragment messages spanning multiple Netlib buffers # TRUE or FALSE (case-insensitive). tds.defragment: TRUE # Hint as to version of TDS protocol being decoded # One of: Not Specified, TDS 4, TDS 5, TDS 7, TDS 8 # (case-insensitive). tds.protocol_type: Not Specified # Hint as to whether to decode TDS protocol as little-endian or big-endian. (TDS7/8 always decoded as little-endian) # One of: Little Endian, Big Endian # (case-insensitive). tds.endian_type: Little Endian # Additional TCP ports to decode as TDS # A string denoting an positive integer range (e.g., "1-20,30-40"). tds.tcp_ports: # Check this to decode IPv6 traffic between Teredo clients and relays # TRUE or FALSE (case-insensitive). teredo.heuristic_teredo: FALSE # Whether TIPCv1 SEGMENTATION_MANAGER datagrams should be reassembled # TRUE or FALSE (case-insensitive). tipc.defragment: TRUE # Whether to try to dissect TIPC data or not # TRUE or FALSE (case-insensitive). tipc.dissect_tipc_data: FALSE # Whether the TNS dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). tns.desegment_tns_messages: TRUE # Whether the TPKT dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). tpkt.desegment: TRUE # Whether Linux mangling of the link-layer header should be checked for and worked around # TRUE or FALSE (case-insensitive). tr.fix_linux_botches: FALSE # Whether the UCP dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). ucp.desegment_ucp_messages: TRUE # Whether the UDP summary line should be shown in the protocol tree # TRUE or FALSE (case-insensitive). udp.summary_in_tree: TRUE # Try to decode a packet using an heuristic sub-dissector before using a sub-dissector registered to a specific port # TRUE or FALSE (case-insensitive). udp.try_heuristic_first: FALSE # Whether to validate the UDP checksum # TRUE or FALSE (case-insensitive). udp.check_checksum: TRUE # Ignore an invalid checksum coverage field and continue dissection # TRUE or FALSE (case-insensitive). udplite.ignore_checksum_coverage: TRUE # Whether to validate the UDPlite checksum # TRUE or FALSE (case-insensitive). udplite.check_checksum: TRUE # Whether the ULP dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). ulp.desegment_ulp_messages: TRUE # Set the TCP port for Ulp messages(IANA registerd port is 7275) # A decimal number. ulp.tcp.port: 7275 # Whether the UMA dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). uma.desegment_ucp_messages: TRUE # Set the TCP port1 for Unlicensed Mobile Access messages # A decimal number. uma.tcp.port1: 14001 # Data Link Type # One of: Disabled, User 0 (DLT=147 WTAP_ENCAP=45), User 1 (DLT=148 WTAP_ENCAP=46), User 2 (DLT=149 WTAP_ENCAP=47), User 3 (DLT=150 WTAP_ENCAP=48), User 4 (DLT=151 WTAP_ENCAP=49), User 5 (DLT=152 WTAP_ENCAP=50), User 6 (DLT=153 WTAP_ENCAP=51), User 7 (DLT=154 WTAP_ENCAP=52), User 8 (DLT=155 WTAP_ENCAP=53), User 9 (DLT=156 WTAP_ENCAP=54), User 10 (DLT=157 WTAP_ENCAP=55), User 11 (DLT=158 WTAP_ENCAP=56), User 12 (DLT=159 WTAP_ENCAP=57), User 13 (DLT=160 WTAP_ENCAP=58), User 14 (DLT=161 WTAP_ENCAP=59), User 15 (DLT=162 WTAP_ENCAP=60) # (case-insensitive). user_dlt_a.dlt: Disabled # # One of: No encpsulation, SSCOP # (case-insensitive). user_dlt_a.special_encap: No encpsulation # Payload # A string. user_dlt_a.payload: # The size (in octets) of the Header # A decimal number. user_dlt_a.header_size: 0 # The size (in octets) of the Trailer # A decimal number. user_dlt_a.trailer_size: 0 # Header Protocol (used only when ecapsulation is not given) # A string. user_dlt_a.header_proto: # Trailer Protocol (used only when ecapsulation is not given) # A string. user_dlt_a.trailer_proto: # Data Link Type # One of: Disabled, User 0 (DLT=147 WTAP_ENCAP=45), User 1 (DLT=148 WTAP_ENCAP=46), User 2 (DLT=149 WTAP_ENCAP=47), User 3 (DLT=150 WTAP_ENCAP=48), User 4 (DLT=151 WTAP_ENCAP=49), User 5 (DLT=152 WTAP_ENCAP=50), User 6 (DLT=153 WTAP_ENCAP=51), User 7 (DLT=154 WTAP_ENCAP=52), User 8 (DLT=155 WTAP_ENCAP=53), User 9 (DLT=156 WTAP_ENCAP=54), User 10 (DLT=157 WTAP_ENCAP=55), User 11 (DLT=158 WTAP_ENCAP=56), User 12 (DLT=159 WTAP_ENCAP=57), User 13 (DLT=160 WTAP_ENCAP=58), User 14 (DLT=161 WTAP_ENCAP=59), User 15 (DLT=162 WTAP_ENCAP=60) # (case-insensitive). user_dlt_b.dlt: Disabled # # One of: No encpsulation, SSCOP # (case-insensitive). user_dlt_b.special_encap: No encpsulation # Payload # A string. user_dlt_b.payload: # The size (in octets) of the Header # A decimal number. user_dlt_b.header_size: 0 # The size (in octets) of the Trailer # A decimal number. user_dlt_b.trailer_size: 0 # Header Protocol (used only when ecapsulation is not given) # A string. user_dlt_b.header_proto: # Trailer Protocol (used only when ecapsulation is not given) # A string. user_dlt_b.trailer_proto: # Data Link Type # One of: Disabled, User 0 (DLT=147 WTAP_ENCAP=45), User 1 (DLT=148 WTAP_ENCAP=46), User 2 (DLT=149 WTAP_ENCAP=47), User 3 (DLT=150 WTAP_ENCAP=48), User 4 (DLT=151 WTAP_ENCAP=49), User 5 (DLT=152 WTAP_ENCAP=50), User 6 (DLT=153 WTAP_ENCAP=51), User 7 (DLT=154 WTAP_ENCAP=52), User 8 (DLT=155 WTAP_ENCAP=53), User 9 (DLT=156 WTAP_ENCAP=54), User 10 (DLT=157 WTAP_ENCAP=55), User 11 (DLT=158 WTAP_ENCAP=56), User 12 (DLT=159 WTAP_ENCAP=57), User 13 (DLT=160 WTAP_ENCAP=58), User 14 (DLT=161 WTAP_ENCAP=59), User 15 (DLT=162 WTAP_ENCAP=60) # (case-insensitive). user_dlt_c.dlt: Disabled # # One of: No encpsulation, SSCOP # (case-insensitive). user_dlt_c.special_encap: No encpsulation # Payload # A string. user_dlt_c.payload: # The size (in octets) of the Header # A decimal number. user_dlt_c.header_size: 0 # The size (in octets) of the Trailer # A decimal number. user_dlt_c.trailer_size: 0 # Header Protocol (used only when ecapsulation is not given) # A string. user_dlt_c.header_proto: # Trailer Protocol (used only when ecapsulation is not given) # A string. user_dlt_c.trailer_proto: # Data Link Type # One of: Disabled, User 0 (DLT=147 WTAP_ENCAP=45), User 1 (DLT=148 WTAP_ENCAP=46), User 2 (DLT=149 WTAP_ENCAP=47), User 3 (DLT=150 WTAP_ENCAP=48), User 4 (DLT=151 WTAP_ENCAP=49), User 5 (DLT=152 WTAP_ENCAP=50), User 6 (DLT=153 WTAP_ENCAP=51), User 7 (DLT=154 WTAP_ENCAP=52), User 8 (DLT=155 WTAP_ENCAP=53), User 9 (DLT=156 WTAP_ENCAP=54), User 10 (DLT=157 WTAP_ENCAP=55), User 11 (DLT=158 WTAP_ENCAP=56), User 12 (DLT=159 WTAP_ENCAP=57), User 13 (DLT=160 WTAP_ENCAP=58), User 14 (DLT=161 WTAP_ENCAP=59), User 15 (DLT=162 WTAP_ENCAP=60) # (case-insensitive). user_dlt_d.dlt: Disabled # # One of: No encpsulation, SSCOP # (case-insensitive). user_dlt_d.special_encap: No encpsulation # Payload # A string. user_dlt_d.payload: # The size (in octets) of the Header # A decimal number. user_dlt_d.header_size: 0 # The size (in octets) of the Trailer # A decimal number. user_dlt_d.trailer_size: 0 # Header Protocol (used only when ecapsulation is not given) # A string. user_dlt_d.header_proto: # Trailer Protocol (used only when ecapsulation is not given) # A string. user_dlt_d.trailer_proto: # The Ethertype used to indicate 802.1QinQ VLAN in VLAN tunneling. # A hexadecimal number. vlan.qinq_ethertype: 0x9100 # To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). vnc.desegment: TRUE # Decode this port's traffic as VNC in addition to the default ports (5500, 5501, 5900, 5901) # A decimal number. vnc.alternate_port: 0 # Enable this preference if you want to view the WBXML tokens without the representation in a media type (e.g., WML). Tokens will show up as Tag_0x12, attrStart_0x08 or attrValue_0x0B for example. # TRUE or FALSE (case-insensitive). wbxml.skip_wbxml_token_mapping: FALSE # Enable this preference if you want to skip the parsing of the WBXML tokens that constitute the body of the WBXML document. Only the WBXML header will be dissected (and visualized) then. # TRUE or FALSE (case-insensitive). wbxml.disable_wbxml_token_parsing: FALSE # Whether the WINS-Replication dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). winsrepl.reassemble: TRUE # Whether fragmented 802.11 datagrams should be reassembled # TRUE or FALSE (case-insensitive). wlan.defragment: TRUE # Some 802.11 cards include the FCS at the end of a packet, others do not. # TRUE or FALSE (case-insensitive). wlan.check_fcs: FALSE # Some 802.11 cards leave the Protection bit set even though the packet is decrypted. # TRUE or FALSE (case-insensitive). wlan.ignore_wep: FALSE # Enable WEP decryption # TRUE or FALSE (case-insensitive). wlan.enable_decryption: TRUE # This is just a static text # WEP key #1 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key1: fecafeca01 # WEP key #2 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key2: f000f000f0 # WEP key #3 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key3: # WEP key #4 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key4: # WEP key #5 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key5: # WEP key #6 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key6: # WEP key #7 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key7: # WEP key #8 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key8: # WEP key #9 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key9: # WEP key #10 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key10: # WEP key #11 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key11: # WEP key #12 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key12: # WEP key #13 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key13: # WEP key #14 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key14: # WEP key #15 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key15: # WEP key #16 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key16: # WEP key #17 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key17: # WEP key #18 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key18: # WEP key #19 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key19: # WEP key #20 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key20: # WEP key #21 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key21: # WEP key #22 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key22: # WEP key #23 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key23: # WEP key #24 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key24: # WEP key #25 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key25: # WEP key #26 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key26: # WEP key #27 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key27: # WEP key #28 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key28: # WEP key #29 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key29: # WEP key #30 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key30: # WEP key #31 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key31: # WEP key #32 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key32: # WEP key #33 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key33: # WEP key #34 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key34: # WEP key #35 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key35: # WEP key #36 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key36: # WEP key #37 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key37: # WEP key #38 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key38: # WEP key #39 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key39: # WEP key #40 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key40: # WEP key #41 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key41: # WEP key #42 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key42: # WEP key #43 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key43: # WEP key #44 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key44: # WEP key #45 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key45: # WEP key #46 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key46: # WEP key #47 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key47: # WEP key #48 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key48: # WEP key #49 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key49: # WEP key #50 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key50: # WEP key #51 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key51: # WEP key #52 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key52: # WEP key #53 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key53: # WEP key #54 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key54: # WEP key #55 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key55: # WEP key #56 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key56: # WEP key #57 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key57: # WEP key #58 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key58: # WEP key #59 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key59: # WEP key #60 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key60: # WEP key #61 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key61: # WEP key #62 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key62: # WEP key #63 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key63: # WEP key #64 bytes in hexadecimal (A:B:C:D:E) [40bit], (A:B:C:D:E:F:G:H:I:J:K:L:M) [104bit], or whatever key length you're using # A string. wlan.wep_key64: # If CALL REQUEST not seen or didn't specify protocol, dissect as QLLC/SNA # TRUE or FALSE (case-insensitive). x.25.payload_is_qllc_sna: FALSE # Reassemble fragmented X.25 packets # TRUE or FALSE (case-insensitive). x.25.reassemble: TRUE # Whether the X11 dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). x11.desegment: TRUE # Try to recognize XML for unknown media types # TRUE or FALSE (case-insensitive). xml.heuristic: FALSE # Whether the X.25-over-TCP dissector should reassemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). xot.desegment: TRUE # Whether the YMSG dissector should reasssemble messages spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings. # TRUE or FALSE (case-insensitive). ymsg.desegment: TRUE
Index: packet-ipsec.c
===================================================================
--- packet-ipsec.c (r�vision 20179)
+++ packet-ipsec.c (copie de travail)
@@ -43,6 +43,7 @@
- Add ESP Payload Decryption support for the following Encryption Algorithms :
BLOWFISH-CBC : keylen 128 bits.
TWOFISH-CBC : keylen 128/256 bits.
+CAST5-CBC [draft-ietf-ipsec-ciph-cast-div-00:The ESP CAST5-128-CBC Transform] : keylen 128
- Check ESP Authentication for the following Algorithms defined in RFC 4305:
@@ -54,7 +55,8 @@
AES-XCBC-MAC-96 [RFC3566] : Not available because no implementation found.
- Add ESP Authentication checking for the following Authentication Algorithm :
-HMAC-SHA256 : any keylen
+HMAC-SHA256-96 : any keylen
+HMAC-RIPEMD160-96 [RFC2857] : any keylen
*/
@@ -75,13 +77,11 @@
#include <ctype.h>
-/* If you want to be able to decrypt or Check Authentication of ESP packets you MUST define this : */
-#ifdef HAVE_LIBGCRYPT
-
#ifdef _WIN32
#include <winposixtype.h>
#endif /* _WIN32 */
+#ifdef HAVE_LIBGCRYPT
#include <gcrypt.h>
#endif /* HAVE_LIBGCRYPT */
@@ -108,7 +108,7 @@
static dissector_table_t ip_dissector_table;
#ifdef HAVE_LIBGCRYPT
-/* Encryption algorithms defined in RFC 4305 */
+/* Encryption algorithms defined in RFC 4305 and others*/
#define IPSEC_ENCRYPT_NULL 0
#define IPSEC_ENCRYPT_3DES_CBC 1
#define IPSEC_ENCRYPT_AES_CBC 2
@@ -116,16 +116,29 @@
#define IPSEC_ENCRYPT_DES_CBC 4
#define IPSEC_ENCRYPT_BLOWFISH_CBC 5
#define IPSEC_ENCRYPT_TWOFISH_CBC 6
+#define IPSEC_ENCRYPT_CAST5_CBC 7
-/* Authentication algorithms defined in RFC 4305 */
+/* Authentication algorithms defined in RFC 4305 and others*/
#define IPSEC_AUTH_NULL 0
#define IPSEC_AUTH_HMAC_SHA1_96 1
-#define IPSEC_AUTH_HMAC_SHA256 2
+#define IPSEC_AUTH_HMAC_SHA256_96 2
#define IPSEC_AUTH_HMAC_MD5_96 3
+#define IPSEC_AUTH_HMAC_RIPEMD160_96 4
#define IPSEC_AUTH_ANY_12BYTES 5
/* define IPSEC_AUTH_AES_XCBC_MAC_96 6 */
#endif
+/* Cipher Mode Available */
+#define IPSEC_CRYPT_MODE_NONE 0
+#define IPSEC_CRYPT_MODE_CBC 1
+#define IPSEC_CRYPT_MODE_CTR 2
+
+/* Authentication Mode Available */
+#define IPSEC_AUTH_MODE_NONE 0
+#define IPSEC_AUTH_MODE_HMAC 1
+#define IPSEC_AUTH_MODE_CBC 2
+#define IPSEC_AUTH_MODE_XCBC 3
+
/* well-known algorithm number (in CPI), from RFC2409 */
#define IPCOMP_OUI 1 /* vendor specific */
#define IPCOMP_DEFLATE 2 /* RFC2394 */
@@ -191,6 +204,7 @@
static guint g_esp_nb_sa = IPSEC_NB_SA;
static guint g_max_esp_nb_sa = 100;
+/* Security Association */
typedef struct {
const gchar *sa;
gint typ;
@@ -206,14 +220,36 @@
gboolean is_valid;
} g_esp_sa;
+/* Security Association Database */
typedef struct {
gint nb;
g_esp_sa table[IPSEC_NB_SA];
} g_esp_sa_database;
+
+/* Encryption Session Context */
+/* These different fields will be to set in esp_create_ctxt with all new Algorithm */
+typedef struct {
+ gint crypt_algo; /* Encryption Algo Name */
+ guint crypt_mode; /* Encryption Algo Mode : IPSEC_CRYPT_MODE_CBC or IPSEC_CRYPT_MODE_CTR */
+ gchar *crypt_key; /* Encryption Key */
+ guint crypt_key_len; /* Encryption Key len */
+ guint crypt_block_size; /* Cipher Block size */
+ gint auth_algo; /* Authentication Algo Name */
+ guint auth_mode; /* Authentication Algo Mode : IPSEC_AUTH_MODE_XCBC/IPSEC_AUTH_MODE_CBC or IPSEC_AUTH_MODE_HMAC */
+ gchar *auth_key; /* Authentication key */
+ guint auth_key_len; /* Authentication key len */
+ guint auth_len; /* Authentication Field length */
+ guint iv_len; /* IV len (To set to 0 if none) */
+ guint8 *iv; /* IV */
+ guint ctr_len; /* Counter Len (To set to 0 if none) */
+ guint8 *ctr; /* Counter */
+ gint ctr_bc; /* Counter Block Value */
+} esp_ctxt;
+
+
static g_esp_sa_database g_esp_sad;
-
/* Default ESP payload decode to off */
static gboolean g_esp_enable_encryption_decode = FALSE;
@@ -222,9 +258,9 @@
#endif
/*
- Default ESP payload heuristic decode to off
- (only works if payload is NULL encrypted and ESP payload decode is off or payload is NULL encrypted
- and the packet does not match a Security Association).
+ Default ESP payload heuristic decode to off
+ (only works if payload is NULL encrypted and ESP payload decode is off or payload is NULL encrypted
+ and the packet does not match a Security Association).
*/
static gboolean g_esp_enable_null_encryption_decode_heuristic = FALSE;
@@ -237,16 +273,15 @@
-
/*
- Name : static int get_ipv6_suffix(char* ipv6_suffix, char *ipv6_address)
- Description : Get the extended IPv6 Suffix of an IPv6 Address
- Return : Return the number of char of the IPv6 address suffix parsed
- Params:
- - char *ipv6_address : the valid ipv6 address to parse in char *
- - char *ipv6_suffix : the ipv6 suffix associated in char *
+ Name : static int get_ipv6_suffix(char* ipv6_suffix, char *ipv6_address)
+ Description : Get the extended IPv6 Suffix of an IPv6 Address
+ Return : Return the number of char of the IPv6 address suffix parsed
+ Params:
+ - char *ipv6_address : the valid ipv6 address to parse in char *
+ - char *ipv6_suffix : the ipv6 suffix associated in char *
- ex: if IPv6 address is "3ffe::1" the IPv6 suffix will be "0001" and the function will return 3
+ ex: if IPv6 address is "3ffe::1" the IPv6 suffix will be "0001" and the function will return 3
*/
#ifdef HAVE_LIBGCRYPT
static int get_ipv6_suffix(char* ipv6_suffix, char *ipv6_address)
@@ -332,15 +367,15 @@
/*
- Name : static int get_full_ipv6_addr(char* ipv6_addr_expanded, char *ipv6_addr)
- Description : Get the extended IPv6 Address of an IPv6 Address
- Return : Return the remaining number of char of the IPv6 address parsed
- Params:
- - char *ipv6_addr : the valid ipv6 address to parse in char *
- - char *ipv6_addr_expansed : the expanded ipv6 address associated in char *
+ Name : static int get_full_ipv6_addr(char* ipv6_addr_expanded, char *ipv6_addr)
+ Description : Get the extended IPv6 Address of an IPv6 Address
+ Return : Return the remaining number of char of the IPv6 address parsed
+ Params:
+ - char *ipv6_addr : the valid ipv6 address to parse in char *
+ - char *ipv6_addr_expansed : the expanded ipv6 address associated in char *
- ex: if IPv6 address is "3ffe::1" the IPv6 expanded address will be "3FFE0000000000000000000000000001" and the function will return 0
- if IPV6 address is "3ffe::*" the IPv6 expanded address will be "3FFE000000000000000000000000****" and the function will return 0
+ ex: if IPv6 address is "3ffe::1" the IPv6 expanded address will be "3FFE0000000000000000000000000001" and the function will return 0
+ if IPV6 address is "3ffe::*" the IPv6 expanded address will be "3FFE000000000000000000000000****" and the function will return 0
*/
#ifdef HAVE_LIBGCRYPT
static int
@@ -399,15 +434,15 @@
/*
- Name : static gboolean get_full_ipv4_addr(char* ipv4_addr_expanded, char *ipv4_addr)
- Description : Get the extended IPv4 Address of an IPv4 Address
- Return : Return true if it can derive an IPv4 address. It does not mean that the previous one was valid.
- Params:
- - char *ipv4_addr : the valid ipv4 address to parse in char *
- - char *ipv4_addr_expansed : the expanded ipv4 address associated in char *
+ Name : static gboolean get_full_ipv4_addr(char* ipv4_addr_expanded, char *ipv4_addr)
+ Description : Get the extended IPv4 Address of an IPv4 Address
+ Return : Return true if it can derive an IPv4 address. It does not mean that the previous one was valid.
+ Params:
+ - char *ipv4_addr : the valid ipv4 address to parse in char *
+ - char *ipv4_addr_expansed : the expanded ipv4 address associated in char *
- ex: if IPv4 address is "190.*.*.1" the IPv4 expanded address will be "BE****01" and the function will return 0
- if IPv4 address is "*" the IPv4 expanded address will be "********" and the function will return 0
+ ex: if IPv4 address is "190.*.*.1" the IPv4 expanded address will be "BE****01" and the function will return 0
+ if IPv4 address is "*" the IPv4 expanded address will be "********" and the function will return 0
*/
#ifdef HAVE_LIBGCRYPT
static gboolean
@@ -520,14 +555,14 @@
/*
- Name : static gboolean esp_sa_parse_ipv6addr(const gchar *sa, guint index_start, gchar **pt_ipv6addr, guint *index_end)
- Description : Get the IPv6 address of a Security Association
- Return : Return true if it can get an address. It does not mean that the address is valid.
- Params:
- - char *sa : the Security Association in char *
- - guint index_start : the index to start to find the address
- - gchar **pt_ipv6addr : the address found. The Allocation is done here !
- - guint *index_end : the last index of the address
+ Name : static gboolean esp_sa_parse_ipv6addr(const gchar *sa, guint index_start, gchar **pt_ipv6addr, guint *index_end)
+ Description : Get the IPv6 address of a Security Association
+ Return : Return true if it can get an address. It does not mean that the address is valid.
+ Params:
+ - char *sa : the Security Association in char *
+ - guint index_start : the index to start to find the address
+ - gchar **pt_ipv6addr : the address found. The Allocation is done here !
+ - guint *index_end : the last index of the address
*/
#ifdef HAVE_LIBGCRYPT
static gboolean
@@ -573,14 +608,14 @@
/*
- Name : static gboolean esp_sa_parse_ipv4addr(const gchar *sa, guint index_start, gchar **pt_ipv4addr, guint *index_end)
- Description : Get the IPv4 address of a Security Association
- Return : Return true if it can get an address. It does not mean that the address is valid.
- Params:
- - char *sa : the Security Association in char *
- - guint index_start : the index to start to find the address
- - gchar **pt_ipv4addr : the address found. The Allocation is done here !
- - guint *index_end : the last index of the address
+ Name : static gboolean esp_sa_parse_ipv4addr(const gchar *sa, guint index_start, gchar **pt_ipv4addr, guint *index_end)
+ Description : Get the IPv4 address of a Security Association
+ Return : Return true if it can get an address. It does not mean that the address is valid.
+ Params:
+ - char *sa : the Security Association in char *
+ - guint index_start : the index to start to find the address
+ - gchar **pt_ipv4addr : the address found. The Allocation is done here !
+ - guint *index_end : the last index of the address
*/
#ifdef HAVE_LIBGCRYPT
static gboolean
@@ -626,14 +661,14 @@
/*
- Name : static gboolean esp_sa_parse_spi(const gchar *sa, guint index_start, gchar **pt_spi, guint *index_end)
- Description : Get the SPI of a Security Association
- Return : Return true if it can get a SPI. It does not mean that the SPI is valid.
- Params:
- - char *sa : the Security Association in char *
- - guint index_start : the index to start to find the spi
- - gchar **pt_spi : the spi found. The Allocation is done here !
- - guint *index_end : the last index of the address
+ Name : static gboolean esp_sa_parse_spi(const gchar *sa, guint index_start, gchar **pt_spi, guint *index_end)
+ Description : Get the SPI of a Security Association
+ Return : Return true if it can get a SPI. It does not mean that the SPI is valid.
+ Params:
+ - char *sa : the Security Association in char *
+ - guint index_start : the index to start to find the spi
+ - gchar **pt_spi : the spi found. The Allocation is done here !
+ - guint *index_end : the last index of the address
*/
#ifdef HAVE_LIBGCRYPT
static gboolean
@@ -682,14 +717,14 @@
/*
- Name : static gboolean esp_sa_parse_protocol_typ(const gchar *sa, guint index_start, gint *pt_protocol_typ, guint *index_end)
- Description : Get the Protocol Type of a Security Association
- Return : Return true if it can get a valid protocol type.
- Params:
- - char *sa : the Security Association in char *
- - guint index_start : the index to start to find the protocol type
- - gint *pt_protocol_typ : the protocol type found. Either IPv4 or IPv6 (IPSEC_SA_IPV4, IPSEC_SA_IPV6)
- - guint *index_end : the last index of the protocol type
+ Name : static gboolean esp_sa_parse_protocol_typ(const gchar *sa, guint index_start, gint *pt_protocol_typ, guint *index_end)
+ Description : Get the Protocol Type of a Security Association
+ Return : Return true if it can get a valid protocol type.
+ Params:
+ - char *sa : the Security Association in char *
+ - guint index_start : the index to start to find the protocol type
+ - gint *pt_protocol_typ : the protocol type found. Either IPv4 or IPv6 (IPSEC_SA_IPV4, IPSEC_SA_IPV6)
+ - guint *index_end : the last index of the protocol type
*/
#ifdef HAVE_LIBGCRYPT
static gboolean
@@ -699,7 +734,7 @@
*pt_protocol_typ = IPSEC_SA_UNKNOWN;
if((sa == NULL) || (strlen(&sa[index_start]) <= IPSEC_TYP_LEN) ||
- (sa[index_start + IPSEC_TYP_LEN] != IPSEC_SA_SEPARATOR))
+ (sa[index_start + IPSEC_TYP_LEN] != IPSEC_SA_SEPARATOR))
return FALSE;
if(g_strncasecmp(&sa[index_start], "IPV6", IPSEC_TYP_LEN) == 0)
@@ -720,21 +755,21 @@
*index_end = IPSEC_TYP_LEN + index_start + 1;
-/* g_warning("For %s returning %d, %c, %d", sa, *pt_protocol_typ, sa[*index_end], *index_end); */
+ /* g_warning("For %s returning %d, %c, %d", sa, *pt_protocol_typ, sa[*index_end], *index_end); */
return done_flag;
}
#endif
/*
- Name : static gboolean esp_sa_parse_addr_len(const gchar *sa, guint index_start, guint *len, guint *index_end)
- Description : Get the Address Length of an address (IPv4/IPv6)
- Return : Return true if it can get an Address Length. It does not mean that the length is valid
- Params:
- - char *sa : the Security Association in char *
- - guint index_start : the index to start to find the length
- - guint *len : the address length found. If none -1 is given.
- - guint *index_end : the last index of the address length in the SA
+ Name : static gboolean esp_sa_parse_addr_len(const gchar *sa, guint index_start, guint *len, guint *index_end)
+ Description : Get the Address Length of an address (IPv4/IPv6)
+ Return : Return true if it can get an Address Length. It does not mean that the length is valid
+ Params:
+ - char *sa : the Security Association in char *
+ - guint index_start : the index to start to find the length
+ - guint *len : the address length found. If none -1 is given.
+ - guint *index_end : the last index of the address length in the SA
*/
#ifdef HAVE_LIBGCRYPT
static gboolean
@@ -794,15 +829,15 @@
/*
- Name : esp_sa_remove_white(const gchar *sa, gchar **sa_bis)
- Description : Remote White Space in a SA
- Parse a Security Association and give the SA without space.
- There is no need to allocate memory before the call. All is done !
+ Name : esp_sa_remove_white(const gchar *sa, gchar **sa_bis)
+ Description : Remote White Space in a SA
+ Parse a Security Association and give the SA without space.
+ There is no need to allocate memory before the call. All is done !
- Return : Void
- Params:
- - char *sa : the Security Association in char *
- - char **sa_bis : the Security Association in char * without white space
+ Return : Void
+ Params:
+ - char *sa : the Security Association in char *
+ - char **sa_bis : the Security Association in char * without white space
*/
#ifdef HAVE_LIBGCRYPT
@@ -841,36 +876,36 @@
/*
- Name : static goolean esp_sa_parse_filter(const gchar *sa, gint *pt_protocol_typ, gchar **pt_src, gint *pt_src_len, gchar **pt_dst, gint *pt_dst_len, gchar **pt_spi)
- Description : Parse a Security Association.
- Parse a Security Association and give the correspondings parameter : SPI, Source, Destination, Source Length, Destination Length, Protocol Type
- There is no need to allocate memory before the call. All is done !
- If the SA is not correct FALSE is returned.
- This security association Must have the following format :
+ Name : static goolean esp_sa_parse_filter(const gchar *sa, gint *pt_protocol_typ, gchar **pt_src, gint *pt_src_len, gchar **pt_dst, gint *pt_dst_len, gchar **pt_spi)
+ Description : Parse a Security Association.
+ Parse a Security Association and give the correspondings parameter : SPI, Source, Destination, Source Length, Destination Length, Protocol Type
+ There is no need to allocate memory before the call. All is done !
+ If the SA is not correct FALSE is returned.
+ This security association Must have the following format :
- "Type/Source IPv6 or IPv4/Destination IPv6 or IPv4/SPI"
+ "Type/Source IPv6 or IPv4/Destination IPv6 or IPv4/SPI"
- Where Type is either IPv4 either IPv6
- - source And destination Must have a correct IPv6/IPv4 Address Format.
- - SPI is an integer on 4 bytes.
- Any element may use the following wildcard :
+ Where Type is either IPv4 either IPv6
+ - source And destination Must have a correct IPv6/IPv4 Address Format.
+ - SPI is an integer on 4 bytes.
+ Any element may use the following wildcard :
- "*" : for an IPv4 Address, it allows all bytes until the next ".". For IPv6 it is the same until the next ":".
- For SPI it allows any SPI.
+ "*" : for an IPv4 Address, it allows all bytes until the next ".". For IPv6 it is the same until the next ":".
+ For SPI it allows any SPI.
- ex:
- a) IPV4/131.254.200.* /131.254.*.123/ *
- b) IPv6/3ffe:*:1/2001::200:* / 456
+ ex:
+ a) IPV4/131.254.200.* /131.254.*.123/ *
+ b) IPv6/3ffe:*:1/2001::200:* / 456
- Return : Return true if the parsing is correct.
- Params:
- - char *sa : the Security Association in char *
- - gint *pt_protocol_typ : the protocol type
- - gchar **pt_src : the source address
- - gint *pt_src_len : the source address length
- - gchar **pt_dst : the destination address
- - gint *pt_dst_len : the destination address length
- - gchar **pt_spi : the spi of the SA
+ Return : Return true if the parsing is correct.
+ Params:
+ - char *sa : the Security Association in char *
+ - gint *pt_protocol_typ : the protocol type
+ - gchar **pt_src : the source address
+ - gint *pt_src_len : the source address length
+ - gchar **pt_dst : the destination address
+ - gint *pt_dst_len : the destination address length
+ - gchar **pt_spi : the spi of the SA
*/
#ifdef HAVE_LIBGCRYPT
static gboolean
@@ -1034,14 +1069,14 @@
/*
- Name : static goolean filter_address_match(gchar *address, gchar *filter, gint len, gint typ)
- Description : check the matching of an address with a filter
- Return : Return TRUE if the filter and the address match
- Params:
- - gchar *address : the address to check
- - gchar *filter : the filter
- - gint len : the len of the address that should match the filter
- - gint typ : the Address type : either IPv6 or IPv4 (IPSEC_SA_IPV6, IPSEC_SA_IPV4)
+ Name : static goolean filter_address_match(gchar *address, gchar *filter, gint len, gint typ)
+ Description : check the matching of an address with a filter
+ Return : Return TRUE if the filter and the address match
+ Params:
+ - gchar *address : the address to check
+ - gchar *filter : the filter
+ - gint len : the len of the address that should match the filter
+ - gint typ : the Address type : either IPv6 or IPv4 (IPSEC_SA_IPV6, IPSEC_SA_IPV4)
*/
#ifdef HAVE_LIBGCRYPT
static gboolean
@@ -1099,12 +1134,12 @@
/*
- Name : static goolean filter_spi_match(gchar *spi, gchar *filter)
- Description : check the matching of a spi with a filter
- Return : Return TRUE if the filter match the spi.
- Params:
- - gchar *spi : the spi to check
- - gchar *filter : the filter
+ Name : static goolean filter_spi_match(gchar *spi, gchar *filter)
+ Description : check the matching of a spi with a filter
+ Return : Return TRUE if the filter match the spi.
+ Params:
+ - gchar *spi : the spi to check
+ - gchar *filter : the filter
*/
#ifdef HAVE_LIBGCRYPT
static gboolean
@@ -1131,12 +1166,12 @@
/*
- Name : static gint compute_ascii_key(gchar **ascii_key, gchar *key)
- Description : Allocate memory for the key and transform the key if it is hexadecimal
- Return : Return the key length
- Params:
- - gchar **ascii_key : the resulting ascii key allocated here
- - gchar *key : the key to compute
+ Name : static gint compute_ascii_key(gchar **ascii_key, gchar *key)
+ Description : Allocate memory for the key and transform the key if it is hexadecimal
+ Return : Return the key length
+ Params:
+ - gchar **ascii_key : the resulting ascii key allocated here
+ - gchar *key : the key to compute
*/
#ifdef HAVE_LIBGCRYPT
static gint
@@ -1201,30 +1236,30 @@
/*
- Name : static goolean get_esp_sa(g_esp_sa_database *sad, gint protocol_typ, gchar *src, gchar *dst, gint spi,
- gint *entry_index
- gint *encryption_algo,
- gint *authentication_algo,
- gchar **encryption_key,
- guint *encryption_key_len,
- gchar **authentication_key,
- guint *authentication_key_len
+ Name : static goolean get_esp_sa(g_esp_sa_database *sad, gint protocol_typ, gchar *src, gchar *dst, gint spi,
+ gint *entry_index
+ gint *encryption_algo,
+ gint *authentication_algo,
+ gchar **encryption_key,
+ guint *encryption_key_len,
+ gchar **authentication_key,
+ guint *authentication_key_len
- Description : Give Encryption Algo, Key and Authentification Algo for a Packet if a corresponding SA is available in a Security Association database
- Return: If the SA is not present, FALSE is then returned.
- Params:
- - g_esp_sa_database *sad : the Security Association Database
- - gint *pt_protocol_typ : the protocol type
- - gchar *src : the source address
- - gchar *dst : the destination address
- - gchar *spi : the spi of the SA
- - gint *entry_index : the index of the SA that matches
- - gint *encryption_algo : the Encryption Algorithm to apply the packet
- - gint *authentication_algo : the Authentication Algorithm to apply to the packet
- - gchar **encryption_key : the Encryption Key to apply to the packet
- - guint *encryption_key_len : the Encryption Key length to apply to the packet
- - gchar **authentication_key : the Authentication Key to apply to the packet
- - guint *authentication_key_len : the Authentication Key len to apply to the packet
+ Description : Give Encryption Algo, Key and Authentification Algo for a Packet if a corresponding SA is available in a Security Association database
+ Return: If the SA is not present, FALSE is then returned.
+ Params:
+ - g_esp_sa_database *sad : the Security Association Database
+ - gint *pt_protocol_typ : the protocol type
+ - gchar *src : the source address
+ - gchar *dst : the destination address
+ - gchar *spi : the spi of the SA
+ - gint *entry_index : the index of the SA that matches
+ - gint *encryption_algo : the Encryption Algorithm to apply the packet
+ - gint *authentication_algo : the Authentication Algorithm to apply to the packet
+ - gchar **encryption_key : the Encryption Key to apply to the packet
+ - guint *encryption_key_len : the Encryption Key length to apply to the packet
+ - gchar **authentication_key : the Authentication Key to apply to the packet
+ - guint *authentication_key_len : the Authentication Key len to apply to the packet
*/
#ifdef HAVE_LIBGCRYPT
@@ -1255,8 +1290,8 @@
/* Debugging Purpose */
/*
- fprintf(stderr, "VALID SA => <SA : %s> <Filter Source : %s/%i> <Filter Destination : %s/%i> <SPI : %s>\n", g_esp_sad.table[i].sa, g_esp_sad.table[i].src, g_esp_sad.table[i].src_len,
- g_esp_sad.table[i].dst, g_esp_sad.table[i].dst_len, g_esp_sad.table[i].spi);
+ fprintf(stderr, "VALID SA => <SA : %s> <Filter Source : %s/%i> <Filter Destination : %s/%i> <SPI : %s>\n", g_esp_sad.table[i].sa, g_esp_sad.table[i].src, g_esp_sad.table[i].src_len,
+ g_esp_sad.table[i].dst, g_esp_sad.table[i].dst_len, g_esp_sad.table[i].spi);
*/
if((protocol_typ == sad -> table[i].typ)
@@ -1274,15 +1309,15 @@
/* Debugging Purpose */
/*
- fprintf(stderr,"MATCHING SA => <IP Source : %s> <IP Destination : %s> <SPI : %s>\n\
- => <FILTER Source : %s/%i> <FILTER Destination : %s/%i> <FILTER SPI : %s>\n\
- => <Encryption Algo : %i> <Encryption Key: %s> <Authentication Algo : %i>\n",
- src,dst,spi_string,
- sad -> table[i].src, sad -> table[i].src_len,
- sad -> table[i].dst, sad -> table[i].dst_len,
- sad -> table[i].spi,
- *encryption_algo, *encryption_key, *authentication_algo);
- */
+ fprintf(stderr,"MATCHING SA => <IP Source : %s> <IP Destination : %s> <SPI : %s>\n\
+ => <FILTER Source : %s/%i> <FILTER Destination : %s/%i> <FILTER SPI : %s>\n\
+ => <Encryption Algo : %i> <Encryption Key: %s> <Authentication Algo : %i>\n",
+ src,dst,spi_string,
+ sad -> table[i].src, sad -> table[i].src_len,
+ sad -> table[i].dst, sad -> table[i].dst_len,
+ sad -> table[i].spi,
+ *encryption_algo, *encryption_key, *authentication_algo);
+ */
}
/* We free the Src, Dst and Spi in the SA, but perhaps to allocate it again with the same value !!! */
@@ -1389,28 +1424,1023 @@
/* start of the new header (could be a extension header) */
return advance;
+
}
/*
- Name : dissect_esp_authentication(proto_tree *tree, tvbuff_t *tvb, gint len, gint esp_auth_len, guint8 *authenticator_data_computed,
- gboolean authentication_ok, gboolean authentication_checking_ok)
- Description : used to print Authenticator field when linked with libgcrypt. Print the expected authenticator value
- if requested and if it is wrong.
- Return : void
- Params:
- - proto_tree *tree : the current tree
- - tvbuff_t *tvb : the tvbuffer
- - gint len : length of the data availabale in tvbuff
- - gint esp_auth_len : size of authenticator field
- - guint8 *authenticator_data_computed : give the authenticator computed (only needed when authentication_ok and !authentication_checking_ok
- - gboolean authentication_ok : set to true if the authentication checking has been run successfully
- - gboolean authentication_checking_ok : set to true if the authentication was the one expected
+ Name : static guint8 * esp_aesctr_compute_counter(esp_ctxt *ctx)
+ Description : Return the counter for AES-CTR.
+ Return : Return the counter for AES-CTR
+ Params:
+ - esp_ctxt *ctx: the current ESP Context.
+ ctx -> bc gives the Current 1st Block counter
*/
#ifdef HAVE_LIBGCRYPT
+static guint8 * esp_aesctr_compute_counter(esp_ctxt *ctx)
+{
+ ctx -> ctr_bc ++;
+ guint8 *counter;
+ counter = g_malloc((ctx -> ctr_len +1) * sizeof(guint8));
+ guint i;
+ int j;
+ int cpt_len;
+ gchar val_tmp[3];
+
+ /* Nonce */
+ for(i=0; i<4; i++)
+ {
+ counter[i] = ctx -> crypt_key[ctx -> crypt_key_len -4 +i];
+ }
+
+ /* IV */
+ for(i=0; i<ctx -> iv_len; i++)
+ {
+ counter[i+4] = ctx -> iv[i];
+ }
+
+ /* Counter */
+ guint counter_len = (ctx -> ctr_len -4 -ctx -> iv_len)*2;
+ gchar counter_str[counter_len +1];
+
+ g_snprintf(counter_str,counter_len,"%x", ctx -> ctr_bc);
+
+ if((strlen(counter_str) % 2) != 0)
+ cpt_len = strlen(counter_str) / 2 + 1;
+ else cpt_len = strlen(counter_str) / 2;
+
+ for(i=0;i<(ctx -> ctr_len -4 -ctx -> iv_len -cpt_len);i++)
+ {
+ counter[i + ctx -> iv_len + 4] = '\0';
+ }
+
+ val_tmp[2] = '\0';
+
+ if((strlen(counter_str) % 2) != 0)
+ {
+ val_tmp[0] = '0';
+ val_tmp[1] = counter_str[0];
+ /* Add the '\0' character but it will be removed just after */
+ sscanf(val_tmp,"%x",(unsigned int *)&(counter[ctx -> ctr_len - cpt_len]));;
+ }
+
+ for(j=strlen(counter_str) -2; j>=0; j=j-2)
+ {
+ val_tmp[0] = counter_str[j];
+ val_tmp[1] = counter_str[j+1];
+ sscanf(val_tmp,"%x",(unsigned int *)&(counter[ctx -> ctr_len - cpt_len + (j+2)/2]));
+ }
+
+ return counter;
+}
+#endif
+
+
+/*
+ Name : static gboolean esp_create_ctxt(
+ esp_ctxt *ctx,
+ gint encryption_algo,
+ gchar *encryption_key,
+ guint encryption_key_len,
+ gint authentication_algo,
+ gchar *authentication_key,
+ guint authentication_key_len,
+ guint8 *data
+ )
+
+ Description : Creation of the ESP Context.
+ Return : Return TRUE if success, FALSE otherwise
+ Params:
+ - esp_ctxt *ctx: the current ESP Context (ctx -> bc gives the Current 1st Block counter)
+ - gint crypt_algo: Encryption Algo Name
+ - gchar *crypt_key: Encryption Key
+ - guint crypt_key_len: Encryption Key len
+ - gint auth_algo: Authentication algo Name
+ - gchar *auth_key: Authentication key
+ - guint auth_key_len: Authentication key len
+ - guint8 *data: Data on which the ESP Context will apply (in order to get IV, CTR ...)
+
+here are the ESP Context Information to set if you plan to add another algorithm:
+
+typedef struct {
+ gint crypt_algo; // Encryption Algo Name
+ guint crypt_mode; // Encryption Algo Mode : IPSEC_CRYPT_MODE_CBC or IPSEC_CRYPT_MODE_CTR
+ gchar *crypt_key; // Encryption Key
+ guint crypt_key_len; // Encryption Key len
+ crypt_block_size; // Cipher Block size
+ gint auth_algo; // Authentication algo Name
+ guint auth_mode; // Authentication Algo Mode : IPSEC_AUTH_MODE_XCBC/IPSEC_AUTH_MODE_CBC or IPSEC_AUTH_MODE_HMAC
+ gchar *auth_key; // Authentication key
+ guint auth_key_len; // Authentication key len
+ guint auth_len; // Authentication Field length
+ gint iv_len; // IV len (To set to 0 if none)
+ guint8 *iv; // IV
+ gint ctr_len; // Counter Len (To set to 0 if none)
+ guint8 *ctr; // Counter
+ gint ctr_bc; // Counter Block Value
+} esp_ctxt;
+
+*/
+
+#ifdef HAVE_LIBGCRYPT
+static gboolean
+esp_create_ctxt(esp_ctxt *ctx,
+ gint encryption_algo,
+ gchar *encryption_key,
+ guint encryption_key_len,
+ gint authentication_algo,
+ gchar *authentication_key,
+ guint authentication_key_len,
+ guint8 *data
+ )
+
+{
+ gboolean ret = TRUE;
+
+ /* ESP Context Initialisation */
+ ctx -> iv_len = 0;
+ ctx -> iv = NULL;
+ ctx -> ctr_len = 0;
+ ctx -> ctr = NULL;
+ ctx -> ctr_bc = 0;
+ ctx -> crypt_block_size = 0;
+ ctx -> crypt_algo = encryption_algo;
+ ctx -> auth_algo = authentication_algo;
+ ctx -> crypt_key_len = encryption_key_len;
+ ctx -> auth_key_len = authentication_key_len;
+ ctx -> crypt_key = encryption_key;
+ ctx -> auth_key = authentication_key;
+
+
+ switch(ctx -> auth_algo)
+ {
+
+ case IPSEC_AUTH_HMAC_SHA1_96:
+ /*
+ RFC 2404 : HMAC-SHA-1-96 is a secret key algorithm.
+ While no fixed key length is specified in [RFC-2104],
+ for use with either ESP or AH a fixed key length of
+ 160-bits MUST be supported. Key lengths other than
+ 160-bits MUST NOT be supported (i.e. only 160-bit keys
+ are to be used by HMAC-SHA-1-96). A key length of
+ 160-bits was chosen based on the recommendations in
+ [RFC-2104] (i.e. key lengths less than the
+ authenticator length decrease security strength and
+ keys longer than the authenticator length do not
+ significantly increase security strength).
+ */
+
+ {
+ ctx -> auth_mode = IPSEC_AUTH_MODE_HMAC;
+ ctx -> auth_len = 12;
+ break;
+ }
+
+ case IPSEC_AUTH_HMAC_SHA256_96:
+ {
+ ctx -> auth_mode = IPSEC_AUTH_MODE_HMAC;
+ ctx -> auth_len = 12;
+ break;
+ }
+
+ case IPSEC_AUTH_NULL:
+ {
+ ctx -> auth_mode = IPSEC_AUTH_MODE_NONE;
+ ctx -> auth_len = 0;
+ break;
+ }
+
+ /*
+ case IPSEC_AUTH_AES_XCBC_MAC_96:
+ {
+ ctx -> auth_mode = IPSEC_AUTH_MODE_XCBC;
+ ctx -> auth_len = 12;
+ break;
+ }
+ */
+
+ case IPSEC_AUTH_HMAC_MD5_96:
+ /*
+ RFC 2403 : HMAC-MD5-96 is a secret key algorithm.
+ While no fixed key length is specified in [RFC-2104],
+ for use with either ESP or AH a fixed key length of
+ 128-bits MUST be supported. Key lengths other than
+ 128-bits MUST NOT be supported (i.e. only 128-bit keys
+ are to be used by HMAC-MD5-96). A key length of
+ 128-bits was chosen based on the recommendations in
+ [RFC-2104] (i.e. key lengths less than the
+ authenticator length decrease security strength and
+ keys longer than the authenticator length do not
+ significantly increase security strength).
+ */
+ {
+ ctx -> auth_mode = IPSEC_AUTH_MODE_HMAC;
+ ctx -> auth_len = 12;
+ break;
+ }
+
+ case IPSEC_AUTH_HMAC_RIPEMD160_96:
+ /*
+ RFC 2857 : HMAC-RIPEMD-160-96 produces a 160-bit
+ authenticator value. This 160-bit value can be truncated
+ as described in RFC2104. For use with either ESP or AH, a truncated
+ value using the first 96 bits MUST be supported.
+ */
+ {
+ ctx -> auth_mode = IPSEC_AUTH_MODE_HMAC;
+ ctx -> auth_len = 12;
+ break;
+ }
+
+ case IPSEC_AUTH_ANY_12BYTES:
+ default:
+ {
+ ctx -> auth_mode = IPSEC_AUTH_MODE_NONE;
+ ctx -> auth_len = 12;
+ break;
+ }
+
+ }
+
+
+ switch(ctx -> crypt_algo)
+ {
+
+ case IPSEC_ENCRYPT_3DES_CBC :
+ /* RFC 2451 says :
+ 3DES CBC uses a key of 192 bits.
+ The first 3DES key is taken from the first 64 bits,
+ the second from the next 64 bits, and the third
+ from the last 64 bits.
+ Implementations MUST take into consideration the
+ parity bits when initially accepting a new set of
+ keys. Each of the three keys is really 56 bits in
+ length with the extra 8 bits used for parity.
+ 3DES CBC uses an IV of 8 octets and a Block size of 8 octets.
+ */
+ {
+ /* Fix parameters for 3DES-CBC */
+ ctx -> iv_len = 8;
+ ctx -> iv = g_malloc(ctx -> iv_len * sizeof(guint8));
+ ctx -> crypt_mode = IPSEC_CRYPT_MODE_CBC;
+ ctx -> crypt_block_size = 8;
+ memset(ctx -> iv,0,ctx -> iv_len);
+ if (data == NULL) ret = FALSE;
+ else memcpy(ctx -> iv, data + sizeof(struct newesp), ctx -> iv_len);
+
+ break;
+ }
+
+ case IPSEC_ENCRYPT_AES_CBC :
+ /* RFC 3602 says :
+ AES supports three key sizes: 128 bits, 192 bits,
+ and 256 bits. The default key size is 128 bits,
+ and all implementations MUST support this key size.
+ Implementations MAY also support key sizes of 192
+ bits and 256 bits.
+ AES-CBC uses an IV of 16 octets and a Block size of 16 octets.
+ */
+ {
+ /* Fix parameters for AES-CBC */
+ ctx -> iv_len = 16;
+ ctx -> iv = g_malloc(ctx -> iv_len * sizeof(guint8));
+ ctx -> crypt_block_size = 16;
+ ctx -> crypt_mode = IPSEC_CRYPT_MODE_CBC;
+ memset(ctx -> iv,0,ctx -> iv_len);
+ if (data == NULL) ret = FALSE;
+ else memcpy(ctx -> iv, data + sizeof(struct newesp), ctx -> iv_len);
+
+ break;
+ }
+
+
+ case IPSEC_ENCRYPT_CAST5_CBC :
+ /* The CAST-128 encryption algorithm has been designed to
+ allow a key size which can vary from 40 bits to 128 bits,
+ in 8-bit increments (that is, the allowable key sizes are
+ 40, 48, 56, 64, ..., 112, 120, and 128 bits. To facilitate interoperability,
+ it is recommended that key sizes SHOULD be chosen from the set of 40, 64, 80 and 128.
+ For key sizes less than 128 bits, the key is padded with zero (in the rightmost, or least
+ significant, positions) out to 128 bits. CAST5-CBC uses an IV of 8 octets and a block size of 8 octets.
+ We will accpet only key of length 128 bits.
+ */
+ {
+ /* Fix parameters for CAST5-CBC */
+ ctx -> iv_len = 8;
+ ctx -> iv = g_malloc(ctx -> iv_len * sizeof(guint8));
+ ctx -> crypt_block_size = 8;
+ ctx -> crypt_mode = IPSEC_CRYPT_MODE_CBC;
+ memset(ctx -> iv,0,ctx -> iv_len);
+ if (data == NULL) ret = FALSE;
+ else memcpy(ctx -> iv, data + sizeof(struct newesp), ctx -> iv_len);
+
+ break;
+ }
+
+
+ case IPSEC_ENCRYPT_DES_CBC :
+ {
+ /* RFC 2405 says :
+ DES-CBC is a symmetric secret key algorithm.
+ The key size is 64-bits.
+ It is commonly known as a 56-bit key as the key
+ has 56 significant bits; the least significant
+ bit in every byte is the parity bit.
+ DES-CBC uses an IV of 8 octets and a Block size of 8 octets.
+ */
+
+ /* Fix parameters for DES-CBC */
+ ctx -> iv_len = 8;
+ ctx -> iv = g_malloc(ctx -> iv_len * sizeof(guint8));
+ ctx -> crypt_block_size = 8;
+ ctx -> crypt_mode = IPSEC_CRYPT_MODE_CBC;
+ memset(ctx -> iv,0,ctx -> iv_len);
+ if (data == NULL) ret = FALSE;
+ else memcpy(ctx -> iv, data + sizeof(struct newesp), ctx -> iv_len);
+
+ break;
+ }
+
+
+ case IPSEC_ENCRYPT_AES_CTR :
+ {
+ /* RFC 3686 says :
+ AES supports three key sizes: 128 bits, 192 bits,
+ and 256 bits. The default key size is 128 bits,
+ and all implementations MUST support this key
+ size. Implementations MAY also support key sizes
+ of 192 bits and 256 bits. The remaining 32 bits
+ will be used as nonce. AES-CTR uses an IV of 8 octets
+ and a Block size of 16 octets.
+ AES-CTR uses the following Counter Block Format:
+
+ 0 1 2 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Nonce |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Initialization Vector (IV) |
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Block Counter |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ */
+
+ /* Fix parameters for AES-CTR */
+ ctx -> iv_len = 8;
+ ctx -> iv = g_malloc(ctx -> iv_len * sizeof(guint8));
+ ctx -> crypt_block_size = 16;
+ ctx -> crypt_mode = IPSEC_CRYPT_MODE_CTR;
+ memset(ctx -> iv,0,ctx -> iv_len);
+ if (data == NULL) ret = FALSE;
+ else memcpy(ctx -> iv, data + sizeof(struct newesp), ctx -> iv_len);
+ ctx -> ctr_len = 16;
+ ctx -> ctr_bc = 0;
+
+ /* Compute the Counter Block */
+ ctx -> ctr = esp_aesctr_compute_counter(ctx);
+
+ if (data == NULL) ret = FALSE;
+ else memcpy(ctx -> iv, data + sizeof(struct newesp), ctx -> iv_len);
+
+ break;
+ }
+
+
+ case IPSEC_ENCRYPT_TWOFISH_CBC :
+ {
+ /* Twofish is a 128-bit block cipher developed by
+ Counterpane Labs that accepts a variable-length
+ key up to 256 bits.
+ We will only accept key sizes of 128 and 256 bits.
+ TWOFISH-CBC uses an IV of 16 octets and a Block size of 16 octets.
+ */
+
+ /* Fix parameters for TWOFISH-CBC */
+ ctx -> iv_len = 16;
+ ctx -> iv = g_malloc(ctx -> iv_len * sizeof(guint8));
+ ctx -> crypt_block_size = 16;
+ ctx -> crypt_mode = IPSEC_CRYPT_MODE_CBC;
+ memset(ctx -> iv,0,ctx -> iv_len);
+ if (data == NULL) ret = FALSE;
+ else memcpy(ctx -> iv, data + sizeof(struct newesp), ctx -> iv_len);
+
+ break;
+ }
+
+
+ case IPSEC_ENCRYPT_BLOWFISH_CBC :
+ {
+ /* Bruce Schneier of Counterpane Systems developed
+ the Blowfish block cipher algorithm.
+ RFC 2451 shows that Blowfish uses key sizes from
+ 40 to 448 bits. The Default size is 128 bits.
+ We will only accept key sizes of 128 bits, because
+ libgrypt only accept this key size.
+ BLOWFISH-CBC uses an IV of 8 octets and a Block size of 8 octets.
+ */
+
+ /* Fix parameters for BLOWFISH-CBC */
+ ctx -> iv_len = 8;
+ ctx -> iv = g_malloc(ctx -> iv_len * sizeof(guint8));
+ ctx -> crypt_block_size = 8;
+ ctx -> crypt_mode = IPSEC_CRYPT_MODE_CBC;
+ memset(ctx -> iv,0,ctx -> iv_len);
+ if (data == NULL) ret = FALSE;
+ else memcpy(ctx -> iv, data + sizeof(struct newesp), ctx -> iv_len);
+ break;
+ }
+
+
+ case IPSEC_ENCRYPT_NULL :
+ default :
+ {
+ /* Fix parameters */
+ ctx -> iv_len = 0;
+ ctx -> ctr_len = 0;
+ ctx -> crypt_block_size = 0;
+ ctx -> crypt_mode = IPSEC_CRYPT_MODE_NONE;
+ break;
+ }
+ }
+
+ return ret;
+
+}
+#endif
+
+
+
+/*
+ Name : static esp_free_ctxt(esp_ctxt *ctx, )
+ Description : Free the ESP Context.
+ Params:
+ - esp_ctxt *ctx: the current ESP Context
+*/
+
+#ifdef HAVE_LIBGCRYPT
+static
+void esp_free_ctxt(esp_ctxt *ctx)
+{
+ ctx -> crypt_algo = IPSEC_ENCRYPT_NULL;
+ ctx -> crypt_mode = IPSEC_CRYPT_MODE_NONE;
+ if(ctx -> crypt_key_len)
+ {
+ if(ctx -> crypt_key != NULL)
+ g_free(ctx -> crypt_key);
+ ctx -> crypt_key_len = 0;
+
+ }
+ ctx -> auth_algo = IPSEC_ENCRYPT_NULL;
+ if(ctx -> auth_key_len)
+ {
+ if(ctx -> auth_key != NULL)
+ g_free(ctx -> auth_key);
+ ctx -> auth_key_len =0;
+ }
+ ctx -> auth_len = 0;
+ if(ctx -> iv_len)
+ {
+ if(ctx -> iv != NULL)
+ g_free(ctx -> iv);
+ ctx -> iv_len = 0;
+ }
+ if(ctx -> ctr_len)
+ {
+ if(ctx -> ctr != NULL)
+ g_free(ctx -> ctr);
+ ctx -> ctr_len = 0;
+ ctx -> ctr_bc = 0;
+ }
+}
+#endif
+
+
+
+/*
+ Name : static gboolean esp_compute_auth(esp_ctxt *ctx, guint8 *data, guint data_len, guint8 **authenticator, guint authenticator_len)
+
+ Description : Compute authentication according to the ESP Context.
+ Return : Return TRUE if success, FALSE otherwise
+ Params:
+ - esp_ctxt *ctx: the current ESP Context (ctx -> bc gives the Current 1st Block counter)
+ - guint8 *data: Data whom we want to compute the authentication
+ - guint data_len: len of the previous data
+ - guint8 **authenticator: Buffer for the Authenticator (to allocate before the call)
+ - guint authenticator_len: length of the Buffer allocated for the Authenticator
+
+here are the ESP Context Information you may access if you plan to add another algorithm:
+
+typedef struct {
+ gint crypt_algo; // Encryption Algo Name
+ guint crypt_mode; // Encryption Algo Mode : IPSEC_CRYPT_MODE_CBC or IPSEC_CRYPT_MODE_CTR
+ gchar *crypt_key; // Encryption Key
+ guint crypt_key_len; // Encryption Key len
+ crypt_block_size; // Cipher Block size
+ gint auth_algo; // Authentication algo Name
+ guint auth_mode; // Authentication Algo Mode : IPSEC_AUTH_MODE_XCBC/IPSEC_AUTH_MODE_CBC or IPSEC_AUTH_MODE_HMAC
+ gchar *auth_key; // Authentication key
+ guint auth_key_len; // Authentication key len
+ guint auth_len; // Authentication Field length
+ gint iv_len; // IV len (To set to 0 if none)
+ guint8 *iv; // IV
+ gint ctr_len; // Counter Len (To set to 0 if none)
+ guint8 *ctr; // Counter
+ gint ctr_bc; // Counter Block Value
+} esp_ctxt;
+
+*/
+#ifdef HAVE_LIBGCRYPT
+static gboolean
+esp_compute_auth(esp_ctxt *ctx, guint8 *data, guint data_len, guint8 **authenticator, guint authenticator_len)
+{
+ gboolean authentication_using_hmac_libgcrypt = FALSE;
+ int auth_algo_libgcrypt = 0;
+ gcry_error_t err = 0;
+ gcry_md_hd_t md_hd;
+ int md_len = 0;
+ guint8 *auth;
+
+ switch(ctx -> auth_algo)
+ {
+
+ case IPSEC_AUTH_HMAC_SHA1_96:
+ {
+ auth_algo_libgcrypt = GCRY_MD_SHA1;
+ authentication_using_hmac_libgcrypt = TRUE;
+ break;
+ }
+
+ case IPSEC_AUTH_NULL:
+ {
+ return FALSE;
+ /*
+ authentication_using_hmac_libgcrypt = FALSE;
+ break;
+ */
+ }
+
+ /*
+ case IPSEC_AUTH_AES_XCBC_MAC_96:
+ {
+ auth_algo_libgcrypt =
+ authentication_check_using_libgcrypt = TRUE;
+ break;
+ }
+ */
+
+ case IPSEC_AUTH_HMAC_SHA256_96:
+ {
+ auth_algo_libgcrypt = GCRY_MD_SHA256;
+ authentication_using_hmac_libgcrypt = TRUE;
+ break;
+ }
+
+ case IPSEC_AUTH_HMAC_MD5_96:
+ {
+ auth_algo_libgcrypt = GCRY_MD_MD5;
+ authentication_using_hmac_libgcrypt = TRUE;
+ break;
+ }
+
+ case IPSEC_AUTH_HMAC_RIPEMD160_96:
+ {
+ auth_algo_libgcrypt = GCRY_MD_RMD160;
+ authentication_using_hmac_libgcrypt = TRUE;
+ break;
+ }
+
+ case IPSEC_AUTH_ANY_12BYTES:
+ default:
+ {
+ return FALSE;
+ /*
+ authentication_using_hmac_libgcrypt = FALSE;
+ break;
+ */
+ }
+
+ }
+
+ if (authentication_using_hmac_libgcrypt)
+ {
+ gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
+ gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
+
+ if(ctx -> auth_mode == IPSEC_AUTH_MODE_HMAC)
+ err = gcry_md_open (&md_hd, auth_algo_libgcrypt, GCRY_MD_FLAG_HMAC);
+
+ else return FALSE;
+
+ if (err)
+ {
+ fprintf (stderr,"<IPsec/ESP Dissector> Error in Algorithm %s, gcry_md_open failed: %s\n",
+ gcry_md_algo_name(auth_algo_libgcrypt), gpg_strerror (err));
+ return FALSE;
+ }
+
+ else
+ {
+ md_len = gcry_md_get_algo_dlen (auth_algo_libgcrypt);
+ if (md_len < 1 || md_len < (int) ctx -> auth_len)
+ {
+ fprintf (stderr,"<IPsec/ESP Dissector> Error in Algorithm %s, grcy_md_get_algo_dlen failed: %d\n",
+ gcry_md_algo_name(auth_algo_libgcrypt), md_len);
+ return FALSE;
+ }
+
+ else
+ {
+ gcry_md_setkey(md_hd, ctx -> auth_key, ctx -> auth_key_len );
+ gcry_md_write (md_hd, data, data_len);
+
+ auth = gcry_md_read (md_hd, auth_algo_libgcrypt);
+
+ if (auth == 0)
+ {
+ fprintf (stderr,"<IPsec/ESP Dissector> Error in Algorithm %s, gcry_md_read failed\n", gcry_md_algo_name(auth_algo_libgcrypt));
+ return FALSE;
+ }
+ else if (ctx -> auth_len > authenticator_len)
+ {
+ fprintf (stderr,"<IPsec/ESP Dissector> Warning : Buffer too little for computing Authentication for Algorithm %s\n",
+ gcry_md_algo_name(auth_algo_libgcrypt));
+ memcpy(*authenticator,auth, authenticator_len);
+ }
+ else
+ memcpy(*authenticator,auth, ctx -> auth_len);
+
+ gcry_md_close (md_hd);
+
+ }
+ }
+ }
+
+ return TRUE;
+}
+#endif
+
+
+
+/*
+ Name : static gboolean esp_decrypt(esp_ctxt *ctx, guint8 *data, guint data_len, guint8 **decrypt, guint decrypt_len)
+
+ Description : Compute authentication according to the ESP Context.
+ Return : Return TRUE if success, FALSE otherwise
+ Params:
+ - esp_ctxt *ctx: the current ESP Context (ctx -> bc gives the Current 1st Block counter)
+ - guint8 *data: Data whom we want to decrypt
+ - guint data_len: length of the previous data
+ - guint8 **decrypt: Buffer for the decrypted Data (to allocate before the call)
+ - guint decrypt_len: length of the Buffer allocated for the Decrypted Data
+
+here are the ESP Context Information you may access if you plan to add another algorithm:
+
+typedef struct {
+ gint crypt_algo; // Encryption Algo Name
+ guint crypt_mode; // Encryption Algo Mode : IPSEC_CRYPT_MODE_CBC or IPSEC_CRYPT_MODE_CTR
+ gchar *crypt_key; // Encryption Key
+ guint crypt_key_len; // Encryption Key len
+ guint crypt_block_size; // Cipher Block size
+ gint auth_algo; // Authentication algo Name
+ gchar *auth_key; // Authentication key
+ guint auth_key_len; // Authentication key len
+ guint auth_len; // Authentication Field length
+ gint iv_len; // IV len (To set to 0 if none)
+ guint8 *iv; // IV
+ gint ctr_len; // Counter Len (To set to 0 if none)
+ guint8 *ctr; // Counter
+ gint ctr_bc; // Counter Block Value
+} esp_ctxt;
+
+*/
+
+#ifdef HAVE_LIBGCRYPT
+static gboolean
+esp_decrypt(esp_ctxt *ctx, guint8 *data, guint data_len, guint8 **decrypt, guint decrypt_len)
+{
+ int encrypted_len_alloc = 0;
+ gcry_cipher_hd_t cypher_hd;
+ gcry_error_t err = 0;
+ int crypt_algo_libgcrypt = 0;
+ int crypt_mode_libgcrypt = 0;
+ gboolean decrypt_using_libgcrypt = FALSE;
+ guint8 *decrypted_data;
+ guint8 *encrypted_data;
+
+ switch(ctx -> crypt_algo)
+ {
+
+ case IPSEC_ENCRYPT_3DES_CBC :
+ {
+ crypt_algo_libgcrypt = GCRY_CIPHER_3DES;
+ crypt_mode_libgcrypt = GCRY_CIPHER_MODE_CBC;
+ if (ctx -> crypt_key_len != gcry_cipher_get_algo_keylen (crypt_algo_libgcrypt))
+ {
+ fprintf (stderr,"<ESP Preferences> Error in Encryption Algorithm 3DES-CBC : Bad Keylen (got %i Bits, need %i Bits)\n",
+ ctx -> crypt_key_len * 8, gcry_cipher_get_algo_keylen (crypt_algo_libgcrypt) * 8);
+ return FALSE;
+ }
+
+ decrypt_using_libgcrypt = TRUE;
+ break;
+ }
+
+ case IPSEC_ENCRYPT_AES_CBC :
+ {
+ crypt_mode_libgcrypt = GCRY_CIPHER_MODE_CBC;
+
+ switch(ctx -> crypt_key_len * 8)
+ {
+ case 128:
+ {
+ crypt_algo_libgcrypt = GCRY_CIPHER_AES128;
+ decrypt_using_libgcrypt = TRUE;
+ break;
+ }
+ case 192:
+ {
+ crypt_algo_libgcrypt = GCRY_CIPHER_AES192;
+ decrypt_using_libgcrypt = TRUE;
+ break;
+ }
+ case 256:
+ {
+ crypt_algo_libgcrypt = GCRY_CIPHER_AES256;
+ decrypt_using_libgcrypt = TRUE;
+ break;
+ }
+ default:
+ {
+ fprintf (stderr,"<ESP Preferences> Error in Encryption Algorithm AES-CBC : Bad Keylen (got %i Bits, need <128/192/256> Bits)\n",
+ ctx -> crypt_key_len * 8);
+
+ return FALSE;
+ }
+
+ }
+ break;
+ }
+
+
+ case IPSEC_ENCRYPT_DES_CBC :
+ {
+ crypt_algo_libgcrypt = GCRY_CIPHER_DES;
+ crypt_mode_libgcrypt = GCRY_CIPHER_MODE_CBC;
+
+ if (ctx -> crypt_key_len != gcry_cipher_get_algo_keylen (crypt_algo_libgcrypt))
+ {
+ fprintf (stderr,"<ESP Preferences> Error in Encryption Algorithm DES-CBC : Bad Keylen (got %i Bits, need %i Bits)\n",
+ ctx -> crypt_key_len * 8, gcry_cipher_get_algo_keylen (crypt_algo_libgcrypt) * 8);
+ return FALSE;
+ }
+ else
+
+
+ decrypt_using_libgcrypt = TRUE;
+ break;
+ }
+
+ case IPSEC_ENCRYPT_CAST5_CBC :
+ {
+ crypt_algo_libgcrypt = GCRY_CIPHER_CAST5;
+ crypt_mode_libgcrypt = GCRY_CIPHER_MODE_CBC;
+
+ if (ctx -> crypt_key_len != gcry_cipher_get_algo_keylen (crypt_algo_libgcrypt))
+ {
+ fprintf (stderr,"<ESP Preferences> Error in Encryption Algorithm CAST5-CBC : Bad Keylen (got %i Bits, need %i Bits)\n",
+ ctx -> crypt_key_len * 8, gcry_cipher_get_algo_keylen (crypt_algo_libgcrypt) * 8);
+ return FALSE;
+ }
+
+ decrypt_using_libgcrypt = TRUE;
+ break;
+ }
+
+
+ case IPSEC_ENCRYPT_AES_CTR :
+ {
+ crypt_mode_libgcrypt = GCRY_CIPHER_MODE_CTR;
+
+ switch(ctx -> crypt_key_len * 8)
+ {
+ case 160:
+ {
+ crypt_algo_libgcrypt = GCRY_CIPHER_AES128;
+ decrypt_using_libgcrypt = TRUE;
+ break;
+ }
+ case 224:
+ {
+ crypt_algo_libgcrypt = GCRY_CIPHER_AES192;
+ decrypt_using_libgcrypt = TRUE;
+ break;
+ }
+
+ case 288:
+ {
+ crypt_algo_libgcrypt = GCRY_CIPHER_AES256;
+ decrypt_using_libgcrypt = TRUE;
+ break;
+ }
+ default:
+ {
+ fprintf (stderr,"<ESP Preferences> Error in Encryption Algorithm AES-CTR : Bad Keylen (got %i Bits, need <160/224/288> Bits)\n",
+ ctx -> crypt_key_len * 8);
+ return FALSE;
+ }
+ }
+
+ break;
+ }
+
+ case IPSEC_ENCRYPT_TWOFISH_CBC :
+ {
+ crypt_mode_libgcrypt = GCRY_CIPHER_MODE_CBC;
+ switch(ctx -> crypt_key_len * 8)
+ {
+ case 128:
+ {
+ crypt_algo_libgcrypt = GCRY_CIPHER_TWOFISH128;
+ decrypt_using_libgcrypt = TRUE;
+ break;
+ }
+ case 256:
+ {
+ crypt_algo_libgcrypt = GCRY_CIPHER_TWOFISH;
+ decrypt_using_libgcrypt = TRUE;
+ break;
+ }
+
+ default:
+ {
+ fprintf (stderr,"<ESP Preferences> Error in Encryption Algorithm TWOFISH-CBC : Bad Keylen (got %i Bits, need <128/256> Bits)\n",
+ ctx -> crypt_key_len * 8);
+
+ return FALSE;
+ break;
+ }
+ }
+
+ break;
+ }
+
+ case IPSEC_ENCRYPT_BLOWFISH_CBC :
+ {
+ crypt_algo_libgcrypt = GCRY_CIPHER_BLOWFISH;
+ crypt_mode_libgcrypt = GCRY_CIPHER_MODE_CBC;
+
+ if (ctx -> crypt_key_len != gcry_cipher_get_algo_keylen (crypt_algo_libgcrypt))
+ {
+ fprintf (stderr,"<ESP Preferences> Error in Encryption Algorithm BLOWFISH-CBC : Bad Keylen (got %i Bits, need %i Bits)\n",
+ ctx -> crypt_key_len * 8, gcry_cipher_get_algo_keylen (crypt_algo_libgcrypt) * 8);
+ return FALSE;
+ }
+
+ decrypt_using_libgcrypt = TRUE;
+ break;
+ }
+
+
+ case IPSEC_ENCRYPT_NULL :
+ default :
+ {
+
+ if (data_len <= 0)
+ return FALSE;
+
+ else
+ {
+ memcpy(*decrypt, data , data_len);
+ decrypt_using_libgcrypt = FALSE;
+ return TRUE;
+ }
+
+ break;
+ }
+ }
+
+ if(decrypt_using_libgcrypt)
+ {
+ if (data_len <= 0)
+ return FALSE;
+
+ err = gcry_cipher_open (&cypher_hd, crypt_algo_libgcrypt, crypt_mode_libgcrypt, 0);
+ if (err)
+ {
+ fprintf(stderr,"<IPsec/ESP Dissector> Error in Algorithm %s Mode %d, grcy_open_cipher failed: %s\n",
+ gcry_cipher_algo_name(crypt_algo_libgcrypt), crypt_mode_libgcrypt, gpg_strerror (err));
+ return FALSE;
+ }
+
+ else
+ {
+ /* For AES-CTR the key ends with 4 bytes, that are Nonces */
+ if(ctx -> crypt_algo == IPSEC_ENCRYPT_AES_CTR)
+ err = gcry_cipher_setkey (cypher_hd, ctx -> crypt_key, ctx -> crypt_key_len -4);
+ else
+ err = gcry_cipher_setkey (cypher_hd, ctx -> crypt_key, ctx -> crypt_key_len);
+ if (err)
+ {
+ fprintf(stderr,"<IPsec/ESP Dissector> Error in Algorithm %s Mode %d, gcry_cipher_setkey failed: %s\n",
+ gcry_cipher_algo_name(crypt_algo_libgcrypt), crypt_mode_libgcrypt, gpg_strerror (err));
+ gcry_cipher_close (cypher_hd);
+ return FALSE;
+ }
+ else
+ {
+ if(ctx -> crypt_mode == IPSEC_CRYPT_MODE_CBC)
+ {
+ err = gcry_cipher_setiv (cypher_hd, ctx -> iv, ctx -> iv_len);
+ if (err)
+ {
+ fprintf(stderr,"<IPsec/ESP Dissector> Error in Algorithm %s, Mode %d, gcry_cipher_setiv failed: %s\n",
+ gcry_cipher_algo_name(crypt_algo_libgcrypt), crypt_mode_libgcrypt, gpg_strerror (err));
+ gcry_cipher_close (cypher_hd);
+ return FALSE;
+ }
+ }
+
+ else if (ctx -> crypt_mode == IPSEC_CRYPT_MODE_CTR)
+ {
+ err = gcry_cipher_setctr (cypher_hd, (void *)ctx -> ctr,ctx -> ctr_len);
+ if (err)
+ {
+ fprintf(stderr,"<IPsec/ESP Dissector> Error in Algorithm %s, Mode %d, gcry_cipher_setiv failed: %s\n",
+ gcry_cipher_algo_name(crypt_algo_libgcrypt), crypt_mode_libgcrypt, gpg_strerror (err));
+ gcry_cipher_close (cypher_hd);
+ return FALSE;
+ }
+ }
+
+ if(data_len % ctx -> crypt_block_size == 0)
+ encrypted_len_alloc = data_len;
+ else
+ encrypted_len_alloc = (data_len / ctx -> crypt_block_size) * ctx -> crypt_block_size + ctx -> crypt_block_size;
+
+ /* Allocate Buffers for Encrypted and Decrypted data */
+ encrypted_data = (guint8 *) g_malloc ((encrypted_len_alloc) * sizeof(guint8));
+ memset(encrypted_data,0,encrypted_len_alloc);
+ decrypted_data = (guint8 *) g_malloc ((encrypted_len_alloc)* sizeof(guint8));
+ memset(decrypted_data,0,encrypted_len_alloc);
+ memcpy(encrypted_data, data, data_len);
+
+ err = gcry_cipher_decrypt (cypher_hd, decrypted_data, encrypted_len_alloc, encrypted_data, encrypted_len_alloc);
+ if (err)
+ {
+ fprintf(stderr,"<IPsec/ESP Dissector> Error in Algorithm %s, Mode %d, gcry_cipher_decrypt failed: %s\n",
+ gcry_cipher_algo_name(crypt_algo_libgcrypt), crypt_mode_libgcrypt, gpg_strerror (err));
+ gcry_cipher_close (cypher_hd);
+ g_free(encrypted_data);
+ g_free(decrypted_data);
+ return FALSE;
+ }
+
+ else
+ {
+ if (data_len > decrypt_len)
+ {
+ fprintf (stderr,"<IPsec/ESP Dissector> Warning : Buffer too little for Decryption for Algorithm %s\n",
+ gcry_md_algo_name(crypt_algo_libgcrypt));
+ memcpy(*decrypt,decrypted_data,decrypt_len);
+ }
+ else
+ memcpy(*decrypt,decrypted_data,data_len);
+
+ gcry_cipher_close (cypher_hd);
+ g_free(encrypted_data);
+ g_free(decrypted_data);
+ return TRUE;
+ }
+ }
+ }
+ }
+}
+
+#endif
+
+
+
+/*
+ Name : dissect_esp_authentication(proto_tree *tree, tvbuff_t *tvb, gint len, gint esp_auth_len, gchar *authenticator_data_computed,
+ gboolean authentication_ok, gboolean authentication_checking_ok)
+ Description : used to print Authenticator field when linked with libgcrypt. Print the expected authenticator value
+ if requested and if it is wrong.
+ Return : void
+ Params:
+ - proto_tree *tree : the current tree
+ - tvbuff_t *tvb : the tvbuffer
+ - gint len : length of the data available in tvbuff
+ - gint esp_auth_len : size of authenticator field
+ - gchar *authenticator_data_computed : give the authenticator computed (only needed when authentication_ok and !authentication_checking_ok
+ - gboolean authentication_ok : set to true if the authentication checking has been run successfully
+ - gboolean authentication_checking_ok : set to true if the authentication was the one expected
+*/
+#ifdef HAVE_LIBGCRYPT
static void
-dissect_esp_authentication(proto_tree *tree, tvbuff_t *tvb, gint len, gint esp_auth_len, guint8 *authenticator_data_computed,
- gboolean authentication_ok, gboolean authentication_checking_ok)
+dissect_esp_authentication(proto_tree *tree, tvbuff_t *tvb, gint len, gint esp_auth_len, gchar *authenticator_data_computed,
+ gboolean authentication_ok, gboolean authentication_checking_ok)
{
if(esp_auth_len == 0)
{
@@ -1425,13 +2455,13 @@
{
proto_tree_add_text(tree, tvb, len - esp_auth_len, esp_auth_len,
"Authentication Data [correct]");
+ g_free(authenticator_data_computed);
}
else if((authentication_ok) && (!authentication_checking_ok))
{
proto_tree_add_text(tree, tvb, len - esp_auth_len, esp_auth_len,
"Authentication Data [incorrect, should be 0x%s]", authenticator_data_computed);
-
g_free(authenticator_data_computed);
}
@@ -1440,6 +2470,7 @@
}
else
{
+ if(authentication_ok) g_free(authenticator_data_computed);
/* Truncated so just display what we have */
proto_tree_add_text(tree, tvb, len - esp_auth_len, esp_auth_len - (len - tvb_length(tvb)),
"Authentication Data (truncated)");
@@ -1447,6 +2478,7 @@
}
#endif
+
static void
dissect_esp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
@@ -1470,16 +2502,8 @@
gboolean decrypt_dissect_ok = FALSE;
#ifdef HAVE_LIBGCRYPT
- gboolean get_address_ok = FALSE;
- gboolean null_encryption_decode_heuristic = FALSE;
- guint8 *decrypted_data = NULL;
- guint8 *encrypted_data = NULL;
- guint8 *authenticator_data = NULL;
- guint8 *esp_data = NULL;
- tvbuff_t *tvb_decrypted;
- gint entry_index;
-
/* IPSEC encryption Variables related */
+ esp_ctxt esp_ctx;
gint protocol_typ = IPSEC_SA_UNKNOWN;
gint esp_crypt_algo = IPSEC_ENCRYPT_NULL;
gint esp_auth_algo = IPSEC_AUTH_NULL;
@@ -1487,40 +2511,31 @@
gchar *esp_auth_key = NULL;
guint esp_crypt_key_len = 0;
guint esp_auth_key_len = 0;
- gint esp_iv_len = 0;
- gint esp_auth_len = 0;
- gint decrypted_len = 0;
- gboolean decrypt_ok = FALSE;
- gboolean decrypt_using_libgcrypt = FALSE;
- gboolean authentication_check_using_hmac_libgcrypt = FALSE;
+
+ gint esp_decrypted_len = 0;
gboolean authentication_ok = FALSE;
gboolean authentication_checking_ok = FALSE;
- gboolean sad_is_present = FALSE;
+ gboolean sad_is_present = FALSE; gboolean get_address_ok = FALSE;
+ gboolean null_encryption_decode_heuristic = FALSE;
+
+ guint8 *decrypted_data = NULL;
+ guint8 *encrypted_data = NULL;
+ guint8 *esp_data = NULL;
+ guint8 *esp_authenticator = NULL;
+ guint8 *esp_authenticator_computed = NULL;
+ gchar *esp_authenticator_computed_str = NULL;
+ tvbuff_t *tvb_decrypted;
+ gint entry_index;
+
+
#endif
gint esp_pad_len = 0;
-#ifdef HAVE_LIBGCRYPT
-
- /* Variables for decryption and authentication checking used for libgrypt */
- int decrypted_len_alloc = 0;
- gcry_cipher_hd_t cypher_hd;
- gcry_md_hd_t md_hd;
- int md_len = 0;
- gcry_error_t err = 0;
- int crypt_algo_libgcrypt = 0;
- int crypt_mode_libgcrypt = 0;
- int auth_algo_libgcrypt = 0;
- unsigned char *authenticator_data_computed = NULL;
- unsigned char *authenticator_data_computed_md;
-
-
/*
* load the top pane info. This should be overwritten by
* the next protocol in the stack
*/
-#endif
-
if (check_col(pinfo->cinfo, COL_PROTOCOL))
col_set_str(pinfo->cinfo, COL_PROTOCOL, "ESP");
if (check_col(pinfo->cinfo, COL_INFO))
@@ -1557,9 +2572,7 @@
#ifdef HAVE_LIBGCRYPT
/* The SAD is not activated */
- if(g_esp_enable_null_encryption_decode_heuristic &&
- !g_esp_enable_encryption_decode)
- null_encryption_decode_heuristic = TRUE;
+ null_encryption_decode_heuristic = g_esp_enable_null_encryption_decode_heuristic;
if(g_esp_enable_encryption_decode || g_esp_enable_authentication_check)
{
@@ -1586,7 +2599,7 @@
memcpy(ip_src + i*2, res, 2);
}
ip_src[IPSEC_STRLEN_IPV4] = '\0';
-
+
for(i = 0 ; i < pinfo -> dst.len; i++)
{
if(((guint8 *)(pinfo -> dst.data))[i] < 16)
@@ -1602,7 +2615,7 @@
ip_dst[IPSEC_STRLEN_IPV4] = '\0';
get_address_ok = TRUE;
- break;
+ break;
}
case AT_IPv6 :
@@ -1650,10 +2663,6 @@
}
}
- /* The packet cannot be decoded using the SAD */
- if(g_esp_enable_null_encryption_decode_heuristic && !get_address_ok)
- null_encryption_decode_heuristic = TRUE;
-
if(get_address_ok)
{
/* Get the SPI */
@@ -1662,7 +2671,6 @@
spi = tvb_get_ntohl(tvb, 0);
}
-
/*
PARSE the SAD and fill it. It may take some time since it will
be called every times an ESP Payload is found.
@@ -1672,686 +2680,203 @@
&esp_crypt_algo, &esp_auth_algo,
&esp_crypt_key, &esp_crypt_key_len, &esp_auth_key, &esp_auth_key_len)))
{
+ /* Deactivation of the Heuristic to decrypt using the NULL encryption algorithm since the packet is matching a SA */
+ null_encryption_decode_heuristic = FALSE;
/* Get length of whole ESP packet. */
len = tvb_reported_length(tvb);
-
- switch(esp_auth_algo)
- {
+ if(len >= 0)
+ {
+ esp_data = (guint8 *) g_malloc (len * sizeof(guint8));
+ memset(esp_data,0,len);
+ tvb_memcpy(tvb, (guint8 *)esp_data, 0, len);
+ }
+
+ /* Init ESP Context */
+ if(esp_create_ctxt(&esp_ctx, esp_crypt_algo, esp_crypt_key, esp_crypt_key_len, esp_auth_algo, esp_auth_key, esp_auth_key_len,esp_data))
+ {
+ g_free(esp_data);
- case IPSEC_AUTH_HMAC_SHA1_96:
- {
- esp_auth_len = 12;
- break;
- }
-
- case IPSEC_AUTH_HMAC_SHA256:
- {
- esp_auth_len = 12;
- break;
- }
-
- case IPSEC_AUTH_NULL:
- {
- esp_auth_len = 0;
- break;
- }
-
- /*
- case IPSEC_AUTH_AES_XCBC_MAC_96:
- {
- esp_auth_len = 12;
- break;
+ /* Get ESP Data and Authenticator. */
+ if (len >= (int) esp_ctx.auth_len)
+ {
+ esp_data = (guint8 *) g_malloc ((len - esp_ctx.auth_len ) * sizeof(guint8));
+ memset(esp_data,0, len - esp_ctx.auth_len );
+ tvb_memcpy(tvb, (guint8 *)esp_data, 0, len - esp_ctx.auth_len);
}
- */
+
+ esp_authenticator = (guint8 *) g_malloc (esp_ctx.auth_len * sizeof(guint8));
+ memset(esp_authenticator,0, esp_ctx.auth_len );
+ tvb_memcpy(tvb, (guint8 *)esp_authenticator, len - esp_ctx.auth_len, esp_ctx.auth_len);
- case IPSEC_AUTH_HMAC_MD5_96:
- {
- esp_auth_len = 12;
- break;
- }
-
- case IPSEC_AUTH_ANY_12BYTES:
- default:
- {
- esp_auth_len = 12;
- break;
- }
-
- }
-
- if(g_esp_enable_authentication_check)
- {
- switch(esp_auth_algo)
+ if(g_esp_enable_authentication_check)
{
-
- case IPSEC_AUTH_HMAC_SHA1_96:
- /*
- RFC 2404 : HMAC-SHA-1-96 is a secret key algorithm.
- While no fixed key length is specified in [RFC-2104],
- for use with either ESP or AH a fixed key length of
- 160-bits MUST be supported. Key lengths other than
- 160-bits MUST NOT be supported (i.e. only 160-bit keys
- are to be used by HMAC-SHA-1-96). A key length of
- 160-bits was chosen based on the recommendations in
- [RFC-2104] (i.e. key lengths less than the
- authenticator length decrease security strength and
- keys longer than the authenticator length do not
- significantly increase security strength).
- */
- {
- auth_algo_libgcrypt = GCRY_MD_SHA1;
- authentication_check_using_hmac_libgcrypt = TRUE;
- break;
- }
-
- case IPSEC_AUTH_NULL:
- {
- authentication_check_using_hmac_libgcrypt = FALSE;
- authentication_checking_ok = TRUE;
- authentication_ok = TRUE;
- break;
- }
-
- /*
- case IPSEC_AUTH_AES_XCBC_MAC_96:
+ esp_authenticator_computed = (guint8 *) g_malloc ((esp_ctx.auth_len + 1) * sizeof(guint8));
+ memset(esp_authenticator_computed,0, esp_ctx.auth_len + 1);
+
+ /* Compute Authenticator */
+ if(esp_compute_auth(&esp_ctx, esp_data, len - esp_ctx.auth_len, &esp_authenticator_computed, esp_ctx.auth_len))
{
- auth_algo_libgcrypt =
- authentication_check_using_libgcrypt = TRUE;
- break;
- }
- */
-
- case IPSEC_AUTH_HMAC_SHA256:
- {
- auth_algo_libgcrypt = GCRY_MD_SHA256;
- authentication_check_using_hmac_libgcrypt = TRUE;
- break;
- }
-
- case IPSEC_AUTH_HMAC_MD5_96:
- /*
- RFC 2403 : HMAC-MD5-96 is a secret key algorithm.
- While no fixed key length is specified in [RFC-2104],
- for use with either ESP or AH a fixed key length of
- 128-bits MUST be supported. Key lengths other than
- 128-bits MUST NOT be supported (i.e. only 128-bit keys
- are to be used by HMAC-MD5-96). A key length of
- 128-bits was chosen based on the recommendations in
- [RFC-2104] (i.e. key lengths less than the
- authenticator length decrease security strength and
- keys longer than the authenticator length do not
- significantly increase security strength).
- */
- {
- auth_algo_libgcrypt = GCRY_MD_MD5;
- authentication_check_using_hmac_libgcrypt = TRUE;
- break;
- }
-
- case IPSEC_AUTH_ANY_12BYTES:
- default:
- {
- authentication_ok = FALSE;
- authentication_check_using_hmac_libgcrypt = FALSE;
- break;
- }
-
- }
-
- if((authentication_check_using_hmac_libgcrypt) && (!authentication_ok))
- {
- gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
- gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
-
- /* Allocate Buffers for Authenticator Field */
- authenticator_data = (guint8 *) g_malloc (( esp_auth_len + 1) * sizeof(guint8));
- memset(authenticator_data,0, esp_auth_len + 1);
- tvb_memcpy(tvb, authenticator_data, len - esp_auth_len, esp_auth_len);
-
- esp_data = (guint8 *) g_malloc (( len - esp_auth_len + 1) * sizeof(guint8));
- memset(esp_data,0, len - esp_auth_len + 1);
- tvb_memcpy(tvb, esp_data, 0, len - esp_auth_len);
-
- err = gcry_md_open (&md_hd, auth_algo_libgcrypt, GCRY_MD_FLAG_HMAC);
- if (err)
- {
- fprintf (stderr,"<IPsec/ESP Dissector> Error in Algorithm %s, gcry_md_open failed: %s\n", gcry_md_algo_name(auth_algo_libgcrypt), gpg_strerror (err));
- authentication_ok = FALSE;
- g_free(authenticator_data);
- g_free(esp_data);
- }
-
- else
- {
- md_len = gcry_md_get_algo_dlen (auth_algo_libgcrypt);
- if (md_len < 1 || md_len < esp_auth_len)
+ /* Check Authenticator */
+ if(memcmp (esp_authenticator_computed, esp_authenticator, esp_ctx.auth_len))
{
- fprintf (stderr,"<IPsec/ESP Dissector> Error in Algorithm %s, grcy_md_get_algo_dlen failed: %d\n", gcry_md_algo_name(auth_algo_libgcrypt), md_len);
- authentication_ok = FALSE;
+ unsigned char authenticator_data_computed_car[3];
+ esp_authenticator_computed_str = (gchar *) g_malloc (( esp_ctx.auth_len * 2 + 1) * sizeof(gchar));
+ for (i = 0; i < (int) esp_ctx.auth_len; i++)
+ {
+ g_snprintf((char *)authenticator_data_computed_car, 3, "%02X", esp_authenticator_computed[i] & 0xFF);
+ esp_authenticator_computed_str[i*2] = authenticator_data_computed_car[0];
+ esp_authenticator_computed_str[i*2 + 1] = authenticator_data_computed_car[1];
+ }
+ esp_authenticator_computed_str[esp_ctx.auth_len * 2] ='\0';
+
+ authentication_ok = TRUE;
+ authentication_checking_ok = FALSE;
}
-
else
- {
- gcry_md_setkey( md_hd, esp_auth_key, esp_auth_key_len );
-
- gcry_md_write (md_hd, esp_data, len - esp_auth_len);
-
- authenticator_data_computed_md = gcry_md_read (md_hd, auth_algo_libgcrypt);
- if (authenticator_data_computed_md == 0)
- {
- fprintf (stderr,"<IPsec/ESP Dissector> Error in Algorithm %s, gcry_md_read failed\n", gcry_md_algo_name(auth_algo_libgcrypt));
- authentication_ok = FALSE;
- }
- else
- {
- if(memcmp (authenticator_data_computed_md, authenticator_data, esp_auth_len))
- {
- unsigned char authenticator_data_computed_car[3];
- authenticator_data_computed = (guint8 *) g_malloc (( esp_auth_len * 2 + 1) * sizeof(guint8));
- for (i = 0; i < esp_auth_len; i++)
- {
- g_snprintf((char *)authenticator_data_computed_car, 3, "%02X", authenticator_data_computed_md[i] & 0xFF);
- authenticator_data_computed[i*2] = authenticator_data_computed_car[0];
- authenticator_data_computed[i*2 + 1] = authenticator_data_computed_car[1];
- }
-
- authenticator_data_computed[esp_auth_len * 2] ='\0';
-
- authentication_ok = TRUE;
- authentication_checking_ok = FALSE;
- }
- else
- {
-
- authentication_ok = TRUE;
- authentication_checking_ok = TRUE;
- }
- }
+ {
+ authentication_ok = TRUE;
+ authentication_checking_ok = TRUE;
}
-
- gcry_md_close (md_hd);
- g_free(authenticator_data);
- g_free(esp_data);
- }
- }
- }
-
- if(g_esp_enable_encryption_decode)
- {
- /* Deactivation of the Heuristic to decrypt using the NULL encryption algorithm since the packet is matching a SA */
- null_encryption_decode_heuristic = FALSE;
-
- switch(esp_crypt_algo)
- {
-
- case IPSEC_ENCRYPT_3DES_CBC :
- {
- /* RFC 2451 says :
- 3DES CBC uses a key of 192 bits.
- The first 3DES key is taken from the first 64 bits,
- the second from the next 64 bits, and the third
- from the last 64 bits.
- Implementations MUST take into consideration the
- parity bits when initially accepting a new set of
- keys. Each of the three keys is really 56 bits in
- length with the extra 8 bits used for parity. */
-
- /* Fix parameters for 3DES-CBC */
- esp_iv_len = 8;
- crypt_algo_libgcrypt = GCRY_CIPHER_3DES;
- crypt_mode_libgcrypt = GCRY_CIPHER_MODE_CBC;
-
- decrypted_len = len - sizeof(struct newesp);
-
- if (decrypted_len <= 0)
- decrypt_ok = FALSE;
- else
- {
- if(decrypted_len % esp_iv_len == 0)
- decrypted_len_alloc = decrypted_len;
- else
- decrypted_len_alloc = (decrypted_len / esp_iv_len) * esp_iv_len + esp_iv_len;
-
- if (esp_crypt_key_len != gcry_cipher_get_algo_keylen (crypt_algo_libgcrypt))
- {
- fprintf (stderr,"<ESP Preferences> Error in Encryption Algorithm 3DES-CBC : Bad Keylen (got %i Bits, need %i)\n",
- esp_crypt_key_len * 8, gcry_cipher_get_algo_keylen (crypt_algo_libgcrypt) * 8);
- decrypt_ok = FALSE;
- }
- else
- decrypt_using_libgcrypt = TRUE;
- }
-
- break;
- }
-
- case IPSEC_ENCRYPT_AES_CBC :
- {
- /* RFC 3602 says :
- AES supports three key sizes: 128 bits, 192 bits,
- and 256 bits. The default key size is 128 bits,
- and all implementations MUST support this key size.
- Implementations MAY also support key sizes of 192
- bits and 256 bits. */
-
- /* Fix parameters for AES-CBC */
- esp_iv_len = 16;
- crypt_mode_libgcrypt = GCRY_CIPHER_MODE_CBC;
-
- decrypted_len = len - sizeof(struct newesp);
-
- if (decrypted_len <= 0)
- decrypt_ok = FALSE;
- else
- {
- if(decrypted_len % esp_iv_len == 0)
- decrypted_len_alloc = decrypted_len;
- else
- decrypted_len_alloc = (decrypted_len / esp_iv_len) * esp_iv_len + esp_iv_len;
-
- switch(esp_crypt_key_len * 8)
- {
- case 128:
- {
- crypt_algo_libgcrypt = GCRY_CIPHER_AES128;
- decrypt_using_libgcrypt = TRUE;
- break;
- }
- case 192:
- {
- crypt_algo_libgcrypt = GCRY_CIPHER_AES192;
- decrypt_using_libgcrypt = TRUE;
- break;
- }
- case 256:
- {
- crypt_algo_libgcrypt = GCRY_CIPHER_AES256;
- decrypt_using_libgcrypt = TRUE;
- break;
- }
- default:
- {
- fprintf (stderr,"<ESP Preferences> Error in Encryption Algorithm AES-CBC : Bad Keylen (%i Bits)\n",
- esp_crypt_key_len * 8);
- decrypt_ok = FALSE;
- }
- }
- }
- break;
- }
-
-
- case IPSEC_ENCRYPT_DES_CBC :
- {
- /* RFC 2405 says :
- DES-CBC is a symmetric secret key algorithm.
- The key size is 64-bits.
- [It is commonly known as a 56-bit key as the key
- has 56 significant bits; the least significant
- bit in every byte is the parity bit.] */
-
- /* Fix parameters for DES-CBC */
- esp_iv_len = 8;
- crypt_algo_libgcrypt = GCRY_CIPHER_DES;
- crypt_mode_libgcrypt = GCRY_CIPHER_MODE_CBC;
- decrypted_len = len - sizeof(struct newesp);
-
- if (decrypted_len <= 0)
- decrypt_ok = FALSE;
- else
- {
- if(decrypted_len % esp_iv_len == 0)
- decrypted_len_alloc = decrypted_len;
- else
- decrypted_len_alloc = (decrypted_len / esp_iv_len) * esp_iv_len + esp_iv_len;
-
- if (esp_crypt_key_len != gcry_cipher_get_algo_keylen (crypt_algo_libgcrypt))
- {
- fprintf (stderr,"<ESP Preferences> Error in Encryption Algorithm DES-CBC : Bad Keylen (%i Bits, need %i)\n",
- esp_crypt_key_len * 8, gcry_cipher_get_algo_keylen (crypt_algo_libgcrypt) * 8);
- decrypt_ok = FALSE;
- }
- else
- decrypt_using_libgcrypt = TRUE;
- }
-
- break;
- }
-
-
- case IPSEC_ENCRYPT_AES_CTR :
- {
- /* RFC 3686 says :
- AES supports three key sizes: 128 bits, 192 bits,
- and 256 bits. The default key size is 128 bits,
- and all implementations MUST support this key
- size. Implementations MAY also support key sizes
- of 192 bits and 256 bits. The remaining 32 bits
- will be used as nonce. */
-
- /* Fix parameters for AES-CTR */
- esp_iv_len = 8;
- crypt_mode_libgcrypt = GCRY_CIPHER_MODE_CTR;
-
- decrypted_len = len - sizeof(struct newesp);
-
- if (decrypted_len <= 0)
- decrypt_ok = FALSE;
- else
- {
- if(decrypted_len % esp_iv_len == 0)
- decrypted_len_alloc = decrypted_len;
- else
- decrypted_len_alloc = (decrypted_len / esp_iv_len) * esp_iv_len + esp_iv_len;
-
- switch(esp_crypt_key_len * 8)
- {
- case 160:
- {
- crypt_algo_libgcrypt = GCRY_CIPHER_AES128;
- decrypt_using_libgcrypt = TRUE;
- break;
- }
- case 224:
- {
- crypt_algo_libgcrypt = GCRY_CIPHER_AES192;
- decrypt_using_libgcrypt = TRUE;
- break;
- }
- case 288:
- {
- crypt_algo_libgcrypt = GCRY_CIPHER_AES256;
- decrypt_using_libgcrypt = TRUE;
- break;
- }
- default:
- {
- fprintf (stderr,"<ESP Preferences> Error in Encryption Algorithm AES-CTR : Bad Keylen (%i Bits)\n",esp_crypt_key_len * 8);
- decrypt_ok = FALSE;
- }
- }
- }
-
- break;
- }
-
- case IPSEC_ENCRYPT_TWOFISH_CBC :
- {
- /* Twofish is a 128-bit block cipher developed by
- Counterpane Labs that accepts a variable-length
- key up to 256 bits.
- We will only accept key sizes of 128 and 256 bits.
- */
-
- /* Fix parameters for TWOFISH-CBC */
- esp_iv_len = 16;
- crypt_mode_libgcrypt = GCRY_CIPHER_MODE_CBC;
-
- decrypted_len = len - sizeof(struct newesp);
-
- if (decrypted_len <= 0)
- decrypt_ok = FALSE;
- else
- {
- if(decrypted_len % esp_iv_len == 0)
- decrypted_len_alloc = decrypted_len;
- else
- decrypted_len_alloc = (decrypted_len / esp_iv_len) * esp_iv_len + esp_iv_len;
-
- switch(esp_crypt_key_len * 8)
- {
- case 128:
- {
- crypt_algo_libgcrypt = GCRY_CIPHER_TWOFISH128;
- decrypt_using_libgcrypt = TRUE;
- break;
- }
- case 256:
- {
- crypt_algo_libgcrypt = GCRY_CIPHER_TWOFISH;
- decrypt_using_libgcrypt = TRUE;
- break;
- }
- default:
- {
- fprintf (stderr,"<ESP Preferences> Error in Encryption Algorithm TWOFISH-CBC : Bad Keylen (%i Bits)\n",esp_crypt_key_len * 8);
- decrypt_ok = FALSE;
- }
- }
- }
-
- break;
- }
-
-
- case IPSEC_ENCRYPT_BLOWFISH_CBC :
- {
- /* Bruce Schneier of Counterpane Systems developed
- the Blowfish block cipher algorithm.
- RFC 2451 shows that Blowfish uses key sizes from
- 40 to 448 bits. The Default size is 128 bits.
- We will only accept key sizes of 128 bits, because
- libgrypt only accept this key size.
- */
-
- /* Fix parameters for BLOWFISH-CBC */
- esp_iv_len = 8;
- crypt_algo_libgcrypt = GCRY_CIPHER_BLOWFISH;
- crypt_mode_libgcrypt = GCRY_CIPHER_MODE_CBC;
-
- decrypted_len = len - sizeof(struct newesp);
-
- if (decrypted_len <= 0)
- decrypt_ok = FALSE;
- else
- {
- if(decrypted_len % esp_iv_len == 0)
- decrypted_len_alloc = decrypted_len;
- else
- decrypted_len_alloc = (decrypted_len / esp_iv_len) * esp_iv_len + esp_iv_len;
-
- if (esp_crypt_key_len != gcry_cipher_get_algo_keylen (crypt_algo_libgcrypt))
- {
- fprintf (stderr,"<ESP Preferences> Error in Encryption Algorithm BLOWFISH-CBC : Bad Keylen (%i Bits, need %i)\n",
- esp_crypt_key_len * 8, gcry_cipher_get_algo_keylen (crypt_algo_libgcrypt) * 8);
- decrypt_ok = FALSE;
- }
- else
- decrypt_using_libgcrypt = TRUE;
- }
-
- break;
-
- }
-
-
- case IPSEC_ENCRYPT_NULL :
- default :
- {
- /* Fix parameters */
- esp_iv_len = 0;
- decrypted_len = len - sizeof(struct newesp);
-
- if (decrypted_len <= 0)
- decrypt_ok = FALSE;
- else
- {
- /* Allocate Buffers for Encrypted and Decrypted data */
- decrypted_data = (guint8 *) g_malloc ((decrypted_len + 1)* sizeof(guint8));
- tvb_memcpy(tvb, decrypted_data , sizeof(struct newesp), decrypted_len);
-
- decrypt_ok = TRUE;
- }
-
- break;
- }
+ }
+ g_free(esp_authenticator_computed);
}
+
- if(decrypt_using_libgcrypt)
+ if(g_esp_enable_encryption_decode)
{
- /* Allocate Buffers for Encrypted and Decrypted data */
- encrypted_data = (guint8 *) g_malloc ((decrypted_len_alloc) * sizeof(guint8));
- memset(encrypted_data,0,decrypted_len_alloc);
- decrypted_data = (guint8 *) g_malloc ((decrypted_len_alloc + esp_iv_len)* sizeof(guint8));
- tvb_memcpy(tvb, encrypted_data , sizeof(struct newesp), decrypted_len);
-
- err = gcry_cipher_open (&cypher_hd, crypt_algo_libgcrypt, crypt_mode_libgcrypt, 0);
- if (err)
+ /* Add IV */
+ if(esp_ctx.iv_len > 0)
{
- fprintf(stderr,"<IPsec/ESP Dissector> Error in Algorithm %s Mode %d, grcy_open_cipher failed: %s\n",
- gcry_cipher_algo_name(crypt_algo_libgcrypt), crypt_mode_libgcrypt, gpg_strerror (err));
- g_free(encrypted_data);
- g_free(decrypted_data);
- decrypt_ok = FALSE;
- }
-
- else
- {
- err = gcry_cipher_setkey (cypher_hd, esp_crypt_key, esp_crypt_key_len);
- if (err)
+ if(tvb_bytes_exist(tvb, 0, esp_ctx.iv_len))
{
- fprintf(stderr,"<IPsec/ESP Dissector> Error in Algorithm %s Mode %d, gcry_cipher_setkey failed: %s\n",
- gcry_cipher_algo_name(crypt_algo_libgcrypt), crypt_mode_libgcrypt, gpg_strerror (err));
- gcry_cipher_close (cypher_hd);
- g_free(encrypted_data);
- g_free(decrypted_data);
- decrypt_ok = FALSE;
+ proto_tree_add_item(esp_tree, hf_esp_iv,
+ tvb,
+ sizeof(struct newesp), esp_ctx.iv_len,
+ FALSE);
}
+
else
- {
- err = gcry_cipher_decrypt (cypher_hd, decrypted_data, decrypted_len_alloc + esp_iv_len, encrypted_data, decrypted_len_alloc);
- if (err)
- {
- fprintf(stderr,"<IPsec/ESP Dissector> Error in Algorithm %s, Mode %d, gcry_cipher_decrypt failed: %s\n",
- gcry_cipher_algo_name(crypt_algo_libgcrypt), crypt_mode_libgcrypt, gpg_strerror (err));
- gcry_cipher_close (cypher_hd);
- g_free(encrypted_data);
- g_free(decrypted_data);
- decrypt_ok = FALSE;
- }
- else
- {
- gcry_cipher_close (cypher_hd);
-
- /* Add the Authentication which was not encrypted */
- if(decrypted_len >= esp_auth_len)
- {
- for(i = 0; i < esp_auth_len; i++)
- {
- decrypted_data[i + decrypted_len -esp_auth_len] = encrypted_data[i + decrypted_len - esp_auth_len];
- }
- }
-
- fprintf(stderr,"\n\n ");
- g_free(encrypted_data);
- decrypt_ok = TRUE;
- }
- }
+ proto_tree_add_text(esp_tree, tvb,
+ sizeof(struct newesp), -1,
+ "IV (truncated)");
}
- }
- if(decrypt_ok)
- {
- tvb_decrypted = tvb_new_real_data(decrypted_data, decrypted_len, decrypted_len);
- tvb_set_child_real_data_tvbuff(tvb, tvb_decrypted);
- add_new_data_source(pinfo,
- tvb_decrypted,
- "Decrypted Data");
+ /* Allocate Buffers for Encrypted and Decrypted data */
+ esp_decrypted_len = len - sizeof(struct newesp) - esp_ctx.iv_len - esp_ctx.auth_len;
+ if(esp_decrypted_len < 0) esp_decrypted_len = 0;
+
+ encrypted_data = (guint8 *) g_malloc (esp_decrypted_len * sizeof(guint8));
+ memset(encrypted_data,0,esp_decrypted_len);
+ decrypted_data = (guint8 *) g_malloc (esp_decrypted_len * sizeof(guint8));
+ memset(decrypted_data,0,esp_decrypted_len);
+ tvb_memcpy(tvb, (guint8 *)encrypted_data, sizeof(struct newesp) + esp_ctx.iv_len, esp_decrypted_len);
- /* Handler to free the Decrypted Data Buffer. */
- tvb_set_free_cb(tvb_decrypted,g_free);
-
- if(tvb_bytes_exist(tvb_decrypted, 0, esp_iv_len))
+ /* Decryption */
+ if(esp_decrypt(&esp_ctx, encrypted_data, esp_decrypted_len, &decrypted_data, esp_decrypted_len))
{
- if(esp_iv_len > 0)
- proto_tree_add_item(esp_tree, hf_esp_iv,
- tvb_decrypted,
- 0, esp_iv_len,
- FALSE);
- }
-
- else
- proto_tree_add_text(esp_tree, tvb_decrypted,
- 0, -1,
- "IV (truncated)");
-
- /* Make sure the packet is not truncated before the fields
- * we need to read to determine the encapsulated protocol */
- if(tvb_bytes_exist(tvb_decrypted, decrypted_len - esp_auth_len - 2, 2))
- {
- esp_pad_len = tvb_get_guint8(tvb_decrypted, decrypted_len - esp_auth_len - 2);
-
- if(decrypted_len - esp_auth_len - esp_pad_len - esp_iv_len - 2 >= esp_iv_len)
+ tvb_decrypted = tvb_new_real_data((guint8 *)decrypted_data, esp_decrypted_len, -1);
+ tvb_set_child_real_data_tvbuff(tvb, tvb_decrypted);
+ add_new_data_source(pinfo,
+ tvb_decrypted,
+ "Decrypted Data");
+
+ /* Handler to free the Decrypted Data Buffer. */
+ tvb_set_free_cb(tvb_decrypted,g_free);
+
+ /* Make sure the packet is not truncated before the fields
+ * we need to read to determine the encapsulated protocol */
+ if(tvb_bytes_exist(tvb_decrypted, esp_decrypted_len - 2, 2))
{
- /* Get the encapsulated protocol */
- encapsulated_protocol = tvb_get_guint8(tvb_decrypted, decrypted_len - esp_auth_len - 1);
+ esp_pad_len = tvb_get_guint8(tvb_decrypted, esp_decrypted_len - 2);
- if(dissector_try_port(ip_dissector_table,
- encapsulated_protocol,
- tvb_new_subset(tvb_decrypted, esp_iv_len,
- decrypted_len - esp_auth_len - esp_pad_len - esp_iv_len - 2,
- decrypted_len - esp_auth_len - esp_pad_len - esp_iv_len - 2),
- pinfo,
- tree))
+ if(esp_decrypted_len -2 -esp_pad_len >= 0)
{
- decrypt_dissect_ok = TRUE;
+ /* Get the encapsulated protocol */
+ encapsulated_protocol = tvb_get_guint8(tvb_decrypted, esp_decrypted_len - 1);
+ if(dissector_try_port(ip_dissector_table,
+ encapsulated_protocol,
+ tvb_new_subset(tvb_decrypted, 0, esp_decrypted_len -2 -esp_pad_len,
+ esp_decrypted_len -2 -esp_pad_len),
+ pinfo,
+ tree))
+ {
+ decrypt_dissect_ok = TRUE;
+ }
}
+
}
- }
-
- if(decrypt_dissect_ok)
- {
- if(esp_tree)
+ if(decrypt_dissect_ok)
{
- if(esp_pad_len !=0)
- proto_tree_add_text(esp_tree, tvb_decrypted, decrypted_len - esp_auth_len - 2 - esp_pad_len, esp_pad_len,"Pad");
+ if(esp_tree)
+ {
+ if(esp_pad_len !=0)
+ proto_tree_add_text(esp_tree, tvb_decrypted, esp_decrypted_len - 2 - esp_pad_len, esp_pad_len,"Pad");
+
+ proto_tree_add_uint(esp_tree, hf_esp_pad_len, tvb_decrypted,
+ esp_decrypted_len - 2, 1,
+ esp_pad_len);
+
+ proto_tree_add_uint_format(esp_tree, hf_esp_protocol, tvb_decrypted,
+ esp_decrypted_len - 1, 1,
+ encapsulated_protocol,
+ "Next header: %s (0x%02x)",
+ ipprotostr(encapsulated_protocol), encapsulated_protocol);
+ if(esp_tree)
+ dissect_esp_authentication(esp_tree, tvb, len, esp_ctx.auth_len,
+ esp_authenticator_computed_str, authentication_ok, authentication_checking_ok);
+
+ esp_free_ctxt(&esp_ctx);
- proto_tree_add_uint(esp_tree, hf_esp_pad_len, tvb_decrypted,
- decrypted_len - esp_auth_len - 2, 1,
- esp_pad_len);
-
- proto_tree_add_uint_format(esp_tree, hf_esp_protocol, tvb_decrypted,
- decrypted_len - esp_auth_len - 1, 1,
- encapsulated_protocol,
- "Next header: %s (0x%02x)",
- ipprotostr(encapsulated_protocol), encapsulated_protocol);
-
- dissect_esp_authentication(esp_tree, tvb_decrypted, decrypted_len, esp_auth_len, authenticator_data_computed, authentication_ok, authentication_checking_ok );
-
+ }
}
+
+ else
+ {
+ call_dissector(data_handle,
+ tvb_new_subset(tvb_decrypted, 0, esp_decrypted_len, esp_decrypted_len),
+ pinfo, esp_tree);
+
+ if(esp_tree)
+ dissect_esp_authentication(esp_tree, tvb, len, esp_ctx.auth_len,
+ esp_authenticator_computed_str, authentication_ok, authentication_checking_ok );
+
+ esp_free_ctxt(&esp_ctx);
+ }
+
}
+
else
{
- call_dissector(data_handle,
- tvb_new_subset(tvb_decrypted, 0, decrypted_len - esp_auth_len, decrypted_len - esp_auth_len),
- pinfo, esp_tree);
-
- if(esp_tree)
- dissect_esp_authentication(esp_tree, tvb_decrypted, decrypted_len, esp_auth_len, authenticator_data_computed, authentication_ok, authentication_checking_ok );
-
+ /* Cannot decrypt the packet */
+ null_encryption_decode_heuristic = g_esp_enable_null_encryption_decode_heuristic;
+ esp_free_ctxt(&esp_ctx);
}
}
-
+
}
-
+
else
{
- /* The packet does not belong to a security Association */
+ /* Cannot init ESP context*/
null_encryption_decode_heuristic = g_esp_enable_null_encryption_decode_heuristic;
+ esp_free_ctxt(&esp_ctx);
}
-
- g_free(ip_src);
- g_free(ip_dst);
- if(esp_auth_key_len != 0) g_free(esp_auth_key);
- if(esp_crypt_key_len != 0) g_free(esp_crypt_key);
-
}
- }
+
+ else
+ {
+ /* The packet does not belong to a security Association */
+ null_encryption_decode_heuristic = g_esp_enable_null_encryption_decode_heuristic;
+ }
+ g_free(ip_src);
+ g_free(ip_dst);
+ }
}
-
+
+
/*
If the packet is present in the security association database and the field g_esp_enable_authentication_check set.
*/
@@ -2359,12 +2884,15 @@
{
sad_is_present = FALSE;
call_dissector(data_handle,
- tvb_new_subset(tvb, sizeof(struct newesp), len - sizeof(struct newesp) - esp_auth_len, -1),
+ tvb_new_subset(tvb, sizeof(struct newesp), len - sizeof(struct newesp) - esp_ctx.auth_len,
+ len - sizeof(struct newesp) - esp_ctx.auth_len),
pinfo, esp_tree);
if(esp_tree)
- dissect_esp_authentication(esp_tree, tvb, len , esp_auth_len, authenticator_data_computed, authentication_ok, authentication_checking_ok );
-
+ dissect_esp_authentication(tree, tvb, len, esp_ctx.auth_len,
+ esp_authenticator_computed_str, authentication_ok, authentication_checking_ok );
+
+ esp_free_ctxt(&esp_ctx);
}
@@ -2372,6 +2900,7 @@
else if(null_encryption_decode_heuristic)
{
#endif
+
if(g_esp_enable_null_encryption_decode_heuristic)
{
/* Get length of whole ESP packet. */
@@ -2386,8 +2915,8 @@
if(dissector_try_port(ip_dissector_table,
encapsulated_protocol,
tvb_new_subset(tvb,
- sizeof(struct newesp),
- -1,
+ sizeof(struct newesp),
+ len - sizeof(struct newesp) - 14 - esp_pad_len,
len - sizeof(struct newesp) - 14 - esp_pad_len),
pinfo,
tree))
@@ -2406,10 +2935,10 @@
esp_pad_len);
proto_tree_add_uint_format(esp_tree, hf_esp_protocol, tvb,
- len - 13, 1,
- encapsulated_protocol,
- "Next header: %s (0x%02x)",
- ipprotostr(encapsulated_protocol), encapsulated_protocol);
+ len - 13, 1,
+ encapsulated_protocol,
+ "Next header: %s (0x%02x)",
+ ipprotostr(encapsulated_protocol), encapsulated_protocol);
/* Make sure we have the auth trailer data */
if(tvb_bytes_exist(tvb, len - 12, 12))
@@ -2427,9 +2956,9 @@
}
}
#ifdef HAVE_LIBGCRYPT
-
- }
-
+
+ }
+
#endif
}
@@ -2558,6 +3087,7 @@
{"descbc", "DES-CBC [RFC2405]", IPSEC_ENCRYPT_DES_CBC},
{"blowfishcbc","BLOWFISH-CBC [RFC2451]", IPSEC_ENCRYPT_BLOWFISH_CBC},
{"twofishcbc","TWOFISH-CBC", IPSEC_ENCRYPT_TWOFISH_CBC},
+ {"cast5cbc","CAST5-CBC", IPSEC_ENCRYPT_CAST5_CBC},
{NULL,NULL,0}
};
@@ -2565,8 +3095,9 @@
{"null", "NULL", IPSEC_AUTH_NULL},
{"hmacsha196", "HMAC-SHA1-96 [RFC2404]", IPSEC_AUTH_HMAC_SHA1_96},
- {"hmacsha256", "HMAC-SHA256", IPSEC_AUTH_HMAC_SHA256},
+ {"hmacsha256", "HMAC-SHA256-96", IPSEC_AUTH_HMAC_SHA256_96},
{"hmacmd596", "HMAC-MD5-96 [RFC2403]", IPSEC_AUTH_HMAC_MD5_96},
+ {"hmacripemd96", "HMAC-RIPEMD160-96 [RFC2857]", IPSEC_AUTH_HMAC_RIPEMD160_96},
/* {"aesxcbcmac96", "AES-XCBC-MAC-96 [RFC3566]", IPSEC_AUTH_AES_XCBC_MAC_96}, */
{"any12bytes", "ANY 12-bytes of Authentication [No Checking]", IPSEC_AUTH_ANY_12BYTES},
{NULL,NULL,0}
@@ -2653,13 +3184,13 @@
g_string_sprintf(title_str,"SA #%d", i + 1);
prefs_register_string_preference(esp_module, name_str->str, title_str->str,
- "SA identifier. Must have the form "
- "\"Protocol|Source Address|Destination Adress|SPI\". "
- "Example: \"IPv4|192.168.0.45|10.1.2.7|*\" "
- "See the ESP Preferences page on the Wireshark wiki "
- "(http://wiki.wireshark.org/ESP_Preferences) for "
- "more details.",
- &g_esp_sad.table[i].sa);
+ "SA identifier. Must have the form "
+ "\"Protocol|Source Address|Destination Adress|SPI\". "
+ "Example: \"IPv4|192.168.0.45|10.1.2.7|*\" "
+ "See the ESP Preferences page on the Wireshark wiki "
+ "(http://wiki.wireshark.org/ESP_Preferences) for "
+ "more details.",
+ &g_esp_sad.table[i].sa);
PREF_STR_FREE();
@@ -2668,8 +3199,8 @@
g_string_sprintf(title_str, "Encryption Algorithm #%d", i + 1);
prefs_register_enum_preference(esp_module, name_str->str, title_str->str,
- "Encryption algorithm",
- &g_esp_sad.table[i].encryption_algo, esp_encryption_algo, FALSE);
+ "Encryption algorithm",
+ &g_esp_sad.table[i].encryption_algo, esp_encryption_algo, FALSE);
PREF_STR_FREE();
PREF_STR_INIT();
@@ -2677,8 +3208,8 @@
g_string_sprintf(title_str, "Authentication Algorithm #%d", i + 1);
prefs_register_enum_preference(esp_module, name_str->str, title_str->str,
- "Authentication algorithm",
- &g_esp_sad.table[i].authentication_algo, esp_authentication_algo, FALSE);
+ "Authentication algorithm",
+ &g_esp_sad.table[i].authentication_algo, esp_authentication_algo, FALSE);
PREF_STR_FREE();
@@ -2687,12 +3218,12 @@
g_string_sprintf(title_str, "Encryption Key #%d", i + 1);
prefs_register_string_preference(esp_module, name_str->str, title_str->str,
- "Encryption key. May be ASCII or hexadecimal (if "
- "prepended with 0x)."
- "See the ESP Preferences page on the Wireshark wiki "
- "(http://wiki.wireshark.org/ESP_Preferences) for "
- "supported sizes.",
- &g_esp_sad.table[i].encryption_key);
+ "Encryption key. May be ASCII or hexadecimal (if "
+ "prepended with 0x)."
+ "See the ESP Preferences page on the Wireshark wiki "
+ "(http://wiki.wireshark.org/ESP_Preferences) for "
+ "supported sizes.",
+ &g_esp_sad.table[i].encryption_key);
PREF_STR_FREE();
@@ -2701,12 +3232,12 @@
g_string_sprintf(title_str, "Authentication Key #%d", i + 1);
prefs_register_string_preference(esp_module, name_str->str, title_str->str,
- "Authentication key. May be ASCII or hexadecimal (if "
- "prepended with 0x)."
- "See the ESP Preferences page on the Wireshark wiki "
- "(http://wiki.wireshark.org/ESP_Preferences) for "
- "supported sizes.",
- &g_esp_sad.table[i].authentication_key);
+ "Authentication key. May be ASCII or hexadecimal (if "
+ "prepended with 0x)."
+ "See the ESP Preferences page on the Wireshark wiki "
+ "(http://wiki.wireshark.org/ESP_Preferences) for "
+ "supported sizes.",
+ &g_esp_sad.table[i].authentication_key);
PREF_STR_FREE();
}
- Follow-Ups:
- Re: [Wireshark-dev] [Patch] : IPsec
- From: Jaap Keuter
- Re: [Wireshark-dev] [Patch] : IPsec
- Prev by Date: Re: [Wireshark-dev] Microsoft Visual C Version 6 support isa bitoutdated ...
- Next by Date: Re: [Wireshark-dev] Microsoft Visual C Version 6 support is a bitoutdated ...
- Previous by thread: Re: [Wireshark-dev] Microsoft Visual C Version 6 support isa bitoutdated ...
- Next by thread: Re: [Wireshark-dev] [Patch] : IPsec
- Index(es):
- Get Wireshark
- Download
- Code of Conduct