How to see outgoing ESP packets in tcpdump before they get encrypted

linux encryption tcpdump ipsec
12,254

You have three questions in your question :

  1. How to see outgoing ESP packets in tcpdump before they get encrypted ?
  2. How it works actually in the linux kernel ?
  3. Is there a way to see the packets on sender side in tcpdump before they get encrypted ?

The answer to the third question is

It depends on your kernel and which implementation you are using. If you are using KLIPS in 2.4 Kernel as part of any of the *swan solutions, then Yes.

Otherwise if you are using the 2.6 kernel which uses the KAME / *BSD model then

No, unless you change your Ipssec or iptables configuration so that you send the packets to another interface unencrypted and then forward the unencrypted packets to an interface which they will be encrypted on.

The answer to the first question is change your iptables configuration and IPSec configuration.

  1. To send the data from one interface to another interface on the same host.
  2. To setup forwarding of data from that second interface to your destination
  3. configure the ip address of the second interface in the security policy to create the tunnel on the second interface.

This way could can tcpdump on the encrypted interface without changing anything and before the data is encrypted.

For the KLIPS and 2.4 kernel it is just as simple as specific the interface in tcpdump as ipsec0 using the -i switch.

Other options to see the data unencrypted involve using tcpdump with -E flag and relevant parameters (see man page) which decrypts the data after it is encrypted or to use tcpdump to capture the encrypted data and then decrypt it in Wireshark (more information regarding ESP decryption of IPSec in Wireshark is located here).

Alternatively you can place instrumentation using printk or printk_times in the source code to xfrm or esp_input.

Regarding the second question, there are several pictures which explain how it works at a high level including the ones explaining the Solaris Implementation as part of Oracle's System Administration Guide: IP Services and Linux's Foundation Network Flow through the kernel diagram.

Also see the following reference. Basically either manual configuration using setkey or automatic configuration using an IKE daemon in userspace passes the information to the XFRM which then transforms the packet before it reaches netfilter prerouting.

See here for more information on the history of KLIPS and KAME.

Share:
12,254
Admin
Author by

Admin

Updated on July 25, 2022

Comments

  • Admin
    Admin almost 2 years

    I have a setup having Ipsec Tunnel between two end systems. When I capture packets on outgoing interface e.g eth0 I can only see encrypted ESP packets going out of my system. I have to go and look at the receiving end to see what was actually transmitted i.e on the receiving end I can see packets after decryption. similarly for the ack sent by receiver. How it works actually in the linux kernel ? Is there a way to see the packets on sender side in tcpdump before they get encrypted ?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What do "Unknown SSAP" and "Unknown DSAP" mean in tcpdump?
tcpdump error message "That device doesn't support monitor mode"
Using tcpdump, how do I see as plainly as possible an unencrypted SMTP conversation?
Can't link OpenSSL code
How to see all Request URLs the server is doing (final URLs)
How to remove LUKS encryption?
How do I configure systemd to activate an encrypted swap file?
What's the easiest way to decrypt a disk partition?
"Hacking" Into my own 500 GB Seagate External Hard-drive
How to decrypt a Ubuntu 16.10 encrypted home folder?