cactuschibre
Reputation: 2375
Wireshark - Save decrypted ESP paquets to PCAP
I am looking for an export function in Wireshark (or tshark, whatever) to save my decrypted ESP paquets (decrypted with SPI, AES128-CBC, HMAC-SHA1 keys). Displayed paquets are decrypted but if I save them to a pcap file (With File > Save specific paquets), they are save as encrypted ...
Same with tshark -r my.pcap --w out.pcap ...
Any idea ?
Upvotes: 1
Views: 786
Answers (1)
JaeMann Yeh
Reputation: 373
I have no idea whether Wireshark supports such feature.
If the capture file was decrypted on PC1 and you want to see it on PC2, append your PC1's esp_sa file to PC2's esp_sa and add a newline to the end of PC2's esp_sa.
esp_sa is a text file and you can find it under
C:\Users\YourUserName\AppData\Roaming\Wireshark\
Upvotes: 0
Related Questions
- Exporting encrypted SNMPv3 traps to JSON with TShark
- Decrypt TLS Traffic from PCAP
- Extracting PCAP using Tshark
- Decrypt HTTPS traffic and save clear traffic into a pcap file
- wireshark 2.2.5 - how to set ESP preference from command line
- Find data transfered by wireshark on pcap file
- How to see outgoing ESP packets in tcpdump before they get encrypted
- wireshark: Capture Data Layer Only
- Saving the displayed/filtered packets in wireshark
- plaintext output from pcap in tshark (with options from wireshark?)