Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: Re: [Wireshark-users] OpenBSD enc0 capture from tcpdump failes to decode

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 25 Sep 2009 11:53:39 -0700

On Sep 21, 2009, at 8:38 PM, Brad Guillory wrote:


# hexdump /tmp/esp2-cut.pcap
0000000 c3d4 a1b2 0002 0004 0000 0000 0000 0000
0000010 07d0 0000 000d

                    ^^^^

BSD/OS SLIP?  That's certainly an odd link-layer type....
Unfortunately, there are a few DLT_ values that don't mean the same thing in all OSes. 13 is one of them; in FreeBSD and NetBSD, for example, it means BSD/OS SLIP, whereas, in OpenBSD, it means "encapsulated IPSec packets" - and, in BSD/OS itself, it meant RFC 1483-encapsulated ATM.
It's really really unfortunate that this happened; that's why libpcap from tcpdump.org, as opposed to libpcap from OpenBSD, will write out "encapsulated IPSec packets" captures with a DLT_ value of 109, which is a value *not* used for any other purpose. 


# tcpdump -r /tmp/esp2-cut.pcap -X
tcpdump: WARNING: snaplen raised from 96 to 2000
23:37:42.887582 (authentic,confidential): SPI 0x2535b0d7: 192.168.9.70.5900 > 192.168.255.2.52761: P 671211301:671211581(280) ack 1486745460 win 33156 <nop,nop,timestamp 293230792 225510712> (DF) (encap)
That's presumably tcpdump on your OpenBSD machine; tcpdump on my Mac fails: 

	$ tcpdump -n -r /tmp/esp2-cut.pcap
	reading from file /tmp/esp2-cut.pcap, link-type 13
	tcpdump: unknown data link type 13
as does tcpdump.org tcpdump built from source with tcpdump.org's libpcap: 

	$ ./tcpdump -n -r /tmp/esp2-cut.pcap
	reading from file /tmp/esp2-cut.pcap, link-type 13
	tcpdump: unknown data link type 13
Now, given that BSD/OS died a while ago, we could just treat a link- layer type of 13 as "encapsulated IPSec packets". (Of course, OpenBSD could just write them out with a link-layer type of 109 in the file, too - nothing *requires* that the value returned by pcap_datalink() and the value in the file be the same, and, in fact, tcpdump.org's libpcap maps them, precisely to *avoid* this problem.) 

Try changing

#if defined(DLT_ATM_RFC1483) && (DLT_ATM_RFC1483 == 13)
	{ 13,		WTAP_ENCAP_ATM_RFC1483 },
#elif defined(DLT_ENC) && (DLT_ENC == 13)
	{ 13,		WTAP_ENCAP_ENC },
#endif

in wiretap/pcap-common.c in the Wireshark source to just

	{ 13,		WTAP_ENCAP_ENC },

and recompiling.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube