Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1953353.1
Update Date:2016-06-03
Keywords:
Solution Type  Technical Instruction Sure

Solution  1953353.1 :   Decoding ESP Packets for IPSEC-IMS-AKA in Wireshark for Acme Packet Troubleshooting  

Related Items 
    

  • Acme Packet 3820
    •  
  • Netra Server X3-2 for Acme Packet
    •  
  • Integrated Software for Netra Server X3-2 for Acme Packet
    •  
  • Acme Packet 4500
    •  
  • Integrated Software for Acme Packet Legacy Platform
    •  
  • Acme Packet 6300
    •  
  • Acme Packet 1100
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>CommsGBU>Session Delivery Network>SN-SND: Acme Service Provider
    •  




This document aims to provide a quick how-to for decoding ESP packets in wireshark.

In this Document
Goal
Solution
 Below are a few items that the document assumes
 Steps to Decode

Applies to:

Integrated Software for Acme Packet Legacy Platform - Version All Versions and later
Acme Packet 4500 - Version S-Cx6.0.x and later
Acme Packet 3820 - Version S-Cx6.3.0 and later
Acme Packet 6300 - Version S-Cz7.0.2 and later
Acme Packet 1100 - Version E-Cz7.2.0 and later
Acme Packet OS

Goal

 This document aims to provide a quick how-to for decoding ESP packets in Wireshark.

Solution

Below are a few items that the document assumes

  1. Wireshark is running Version 1.8.2 on Windows. This procedure should also work with Wireshark 1.6.14, but it might not work with Wireshark version 2.x
  2. Encryption key (CK),  Authentication (IK) key, Encryption algorithm, Authentication algorithm and SPI values for all the UEs in the trace are available. This data can be collected from the WWW-Authenticate header of a SIP 401 Unauthorized message from ICSCF to PCSCF

 

Steps to Decode

  1. Once you open the pcap file in Wirehsark, click on Edit >> Preferences >> Protocols >> ESP (scroll down to ESP)
  2. Check the box that says “Attempt to detect/decode encrypted ESP payloads”. If you need to decode NULL encryption, then check the box that says “Attempt to detect/decode NULL encrypted ESP payloads”

 

Decode_ESP_packets_-_Image_1_-Wireshark_Preferences

  1. Now click on Edit and a new window opens up showing the ESP SAs/Security Associations. Click New to create a new SA or edit old SAs
  2. Create a new SA with the details of from wireshark trace and other information- Keys- IK and CK, SPIs, Encription and Authentication algorithms, source and destination IPs.

 

edit_Profile_for_IPv6

  1. The keys (IK & CK) are hex values and need to be prefixed by a “0x” when using in the wireshark to decode ESP packets.
  2. When entering the values for the SA, make sure that there is no trailing or leading space. This can cause wireshark to not decode packets.
  3. IPs and SPI values can be wildcarded with a “*”. If using wildcards, the top SA will have a higher priority in case there are multiple SAs with the same source and destination IPs.
  4. Once you create a Security Association (SA), hit Ok and Apply in both the windows to force wireshark to decode ESP packets. You may need to create multiple SAs as one SA will decode only packets from one source IP to one desitnation IP. If there are multiple source destination IPs then multiple SAs will be needed.
  5. Once wireshark has decoded the packets, you can see the decoded headers (for example TCP) below the ESP header.

 

Wireshark_showing_decoded_headers

  1. After decrypting if you see packets that show as Malformed, you may need to force wireshark to decode these as SIP packets. To do this you right click on the packet and click “Decode As” and then select SIP from the protocol list. Click Ok to decode these packets as SIP. Below is a screenshot.

forcing_wireshark_to_decode_malformed_packets


Attachments 
This solution has no attachment
  Copyright © 2018 Oracle, Inc.  All rights reserved.
 Feedback