Wireshark-users: Re: [Wireshark-users] OpenBSD enc0 capture from tcpdump failes to decode
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 25 Sep 2009 11:53:39 -0700

On Sep 21, 2009, at 8:38 PM, Brad Guillory wrote:

# hexdump /tmp/esp2-cut.pcap
0000000 c3d4 a1b2 0002 0004 0000 0000 0000 0000
0000010 07d0 0000 000d

BSD/OS SLIP?  That's certainly an odd link-layer type....

Unfortunately, there are a few DLT_ values that don't mean the same thing in all OSes. 13 is one of them; in FreeBSD and NetBSD, for example, it means BSD/OS SLIP, whereas, in OpenBSD, it means "encapsulated IPSec packets" - and, in BSD/OS itself, it meant RFC 1483-encapsulated ATM.

It's really really unfortunate that this happened; that's why libpcap from tcpdump.org, as opposed to libpcap from OpenBSD, will write out "encapsulated IPSec packets" captures with a DLT_ value of 109, which is a value *not* used for any other purpose.

# tcpdump -r /tmp/esp2-cut.pcap -X
tcpdump: WARNING: snaplen raised from 96 to 2000
23:37:42.887582 (authentic,confidential): SPI 0x2535b0d7: > P 671211301:671211581(280) ack 1486745460 win 33156 <nop,nop,timestamp 293230792 225510712> (DF) (encap)

That's presumably tcpdump on your OpenBSD machine; tcpdump on my Mac fails:

	$ tcpdump -n -r /tmp/esp2-cut.pcap
	reading from file /tmp/esp2-cut.pcap, link-type 13
	tcpdump: unknown data link type 13

as does tcpdump.org tcpdump built from source with tcpdump.org's libpcap:

	$ ./tcpdump -n -r /tmp/esp2-cut.pcap
	reading from file /tmp/esp2-cut.pcap, link-type 13
	tcpdump: unknown data link type 13

Now, given that BSD/OS died a while ago, we could just treat a link- layer type of 13 as "encapsulated IPSec packets". (Of course, OpenBSD could just write them out with a link-layer type of 109 in the file, too - nothing *requires* that the value returned by pcap_datalink() and the value in the file be the same, and, in fact, tcpdump.org's libpcap maps them, precisely to *avoid* this problem.)

Try changing

#if defined(DLT_ATM_RFC1483) && (DLT_ATM_RFC1483 == 13)
	{ 13,		WTAP_ENCAP_ATM_RFC1483 },
#elif defined(DLT_ENC) && (DLT_ENC == 13)
	{ 13,		WTAP_ENCAP_ENC },

in wiretap/pcap-common.c in the Wireshark source to just

	{ 13,		WTAP_ENCAP_ENC },

and recompiling.