tcpdump
tcpdump copied to clipboard
Published
20 hours ago •
the-tcpdump-group
the-tcpdump-group
[Patch] Add support for decrypting ESP packets in packet_dump mode
Converted from SourceForge issue 3431245, submitted by alanre
I got fed up decoding ESP manually so I added the functionality into tcpdump. I've enhanced the existing -E flag which currently only prints the decrypted ESP packets tp the screen
Now if -E and -w flags are present then both the raw ESP packet and the decoded ESP packet are dumped to the file.
( I use a perl based wrapper around tcpdump which extracts the SPIs and encryption keys from a setkey -D output)
cheers AlanE
Submitted by guy_harris
A version that dynamically allocates and reallocates the buffer, rather than imposing an arbitrary 1500-byte limit, might be better.
Even a version that prints a warning and continues, rather than exiting (error() exits) would be better.
The originally proposed patch:
diff -rupN tcpdump-org/Makefile.in tcpdump/Makefile.in
--- tcpdump-org/Makefile.in 2011-10-31 15:26:18.526869894 +0000
+++ tcpdump/Makefile.in 2011-10-31 15:30:29.964230206 +0000
@@ -93,7 +93,7 @@ CSRC = addrtoname.c af.c checksum.c cpac
print-symantec.c print-syslog.c print-tcp.c print-telnet.c print-tftp.c \
print-timed.c print-token.c print-udld.c print-udp.c print-usb.c \
print-vjc.c print-vqp.c print-vrrp.c print-vtp.c print-forces.c \
- print-wb.c print-zephyr.c signature.c setsignal.c tcpdump.c util.c
+ print-wb.c print-zephyr.c signature.c setsignal.c tcpdump.c util.c decrypt-esp.c
LIBNETDISSECT_SRC=print-isakmp.c
LIBNETDISSECT_OBJ=$(LIBNETDISSECT_SRC:.c=.o)
diff -rupN tcpdump-org/decrypt-esp.c tcpdump/decrypt-esp.c
--- tcpdump-org/decrypt-esp.c 1970-01-01 01:00:00.000000000 +0100
+++ tcpdump/decrypt-esp.c 2011-10-31 15:30:36.030853743 +0000
@@ -0,0 +1,232 @@
+/*
+ * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994
+ * The Regents of the University of California. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that: (1) source code distributions
+ * retain the above copyright notice and this paragraph in its entirety, (2)
+ * distributions including binary code include the above copyright notice and
+ * this paragraph in its entirety in the documentation or other materials
+ * provided with the distribution, and (3) all advertising materials mentioning
+ * features or use of this software display the following acknowledgement:
+ * ``This product includes software developed by the University of California,
+ * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
+ * the University nor the names of its contributors may be used to endorse
+ * or promote products derived from this software without specific prior
+ * written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include <string.h>
+
+#include <tcpdump-stdinc.h>
+
+#include <stdlib.h>
+
+#ifdef HAVE_LIBCRYPTO
+#ifdef HAVE_OPENSSL_EVP_H
+#include <openssl/evp.h>
+#endif
+#endif
+
+#include <stdio.h>
+#include <netinet/in.h>
+
+#include "interface.h"
+#include "ether.h"
+#include "ip.h"
+#include "udp.h"
+#include "esp.h"
+#ifdef INET6
+#include "ip6.h"
+#endif
+
+#include "netdissect.h"
+#include "addrtoname.h"
+#include "extract.h"
+
+#ifndef HAVE_SOCKADDR_STORAGE
+#ifdef INET6
+struct sockaddr_storage {
+ union {
+ struct sockaddr_in sin;
+ struct sockaddr_in6 sin6;
+ } un;
+};
+#else
+#define sockaddr_storage sockaddr
+#endif
+#endif /* HAVE_SOCKADDR_STORAGE */
+
+#ifdef HAVE_LIBCRYPTO
+struct sa_list {
+ struct sa_list *next;
+ struct sockaddr_storage daddr;
+ u_int32_t spi; /* if == 0, then IKEv2 */
+ int initiator;
+ u_char spii[8]; /* for IKEv2 */
+ u_char spir[8];
+ const EVP_CIPHER *evp;
+ int ivlen;
+ int authlen;
+ u_char authsecret[256];
+ int authsecret_len;
+ u_char secret[256]; /* is that big enough for all secrets? */
+ int secretlen;
+};
+
+
+int esp_decrypt(u_char *user, const struct pcap_pkthdr *h, const u_char *sp, struct pcap_pkthdr *decrypt_h, u_char *decrypt_sp);
+u_int16_t ip_cksum(u_int16_t len, u_char buff[]);
+
+int esp_decrypt(u_char *user, const struct pcap_pkthdr *h, const u_char *sp, struct pcap_pkthdr *decrypt_h, u_char *decrypt_sp) {
+
+ struct ether_header *ether_h;
+ struct ip *ip_h, *decrypt_ip_h;
+ struct udphdr *udp_h;
+ struct newesp *esp_h;
+ struct sa_list *sa;
+ netdissect_options *ndo;
+ u_char *iv;
+ int ilen, olen, olen_final;
+ u_char *esp_data;
+ u_char pad, next_hdr;
+
+ EVP_CIPHER_CTX ctx;
+
+
+ /* Sanity check pcap_pkthdr */
+ if (h->caplen > 1500) {
+ error("Can't handle packets > 1500 bytes\n");
+ return(0);
+ }
+ if (h->caplen < h->len) {
+ error("Captured packet is truncated\n");
+ return(0);
+ }
+
+ decrypt_h->ts = h->ts;
+ ether_h = (struct ether_header*)(sp);
+ memcpy(decrypt_sp, sp, ETHER_HDRLEN);
+ sp = sp + ETHER_HDRLEN;
+ ip_h = (struct ip *)sp;
+ sp = sp + (IP_HL(ip_h)*4);
+
+ if (ip_h->ip_p == IPPROTO_ESP) {
+ esp_h = (struct newesp *)sp;
+ ilen = ntohs(ip_h->ip_len) - (IP_HL(ip_h)*4);
+ } else if (ip_h->ip_p == IPPROTO_UDP) {
+
+ /* Check if ESP is UDP ENC UDP Port 4500 */
+
+ udp_h = (struct udphdr*)sp;
+ if (ntohs(udp_h->uh_sport) == ISAKMP_PORT_NATT || ntohs(udp_h->uh_dport) == ISAKMP_PORT_NATT) {
+ sp = sp + sizeof(struct udphdr);
+ esp_h = (struct newesp *)sp;
+ ilen = ntohs(udp_h->uh_ulen) - sizeof(struct udphdr);
+ } else {
+ return(0);
+ }
+ }
+ else {
+ return(0);
+ }
+
+ sp = sp + sizeof(struct newesp) + 8;
+ esp_data = (u_char *)sp;
+
+ /* Strip of the 24 byte ESP Header and 12 byte ESP Authentication tail */
+ ilen = ilen - 28;
+ iv = (u_char *)(esp_h + sizeof(struct newesp));
+
+ /* see if we can find the SA, and if so, decode it */
+ ndo = gndo;
+ esp_print_decodesecret(ndo);
+ for (sa = ndo->ndo_sa_list_head; sa != NULL; sa = sa->next) {
+ struct sockaddr_in *sin = (struct sockaddr_in *)&sa->daddr;
+ if (sa->spi == ntohl(esp_h->esp_spi) &&
+ sin->sin_family == AF_INET &&
+ sin->sin_addr.s_addr == ip_h->ip_dst.s_addr) {
+ break;
+ }
+ }
+ if(sa == NULL) {
+ return 0;
+ }
+ if(sa->evp == NULL) {
+ return 0;
+ }
+
+ memset(&ctx, 0, sizeof(ctx));
+
+ if (EVP_DecryptInit_ex(&ctx, sa->evp, NULL, sa->secret, iv) != 1) {
+ EVP_CIPHER_CTX_cleanup(&ctx);
+ return 0;
+ }
+
+ EVP_CIPHER_CTX_set_padding(&ctx, 0); /* Disable padding */
+
+ if (EVP_DecryptUpdate(&ctx, decrypt_sp + ETHER_HDRLEN, &olen, esp_data, ilen) != 1) {
+ EVP_CIPHER_CTX_cleanup(&ctx);
+ return 0;
+ }
+ if (EVP_DecryptFinal_ex(&ctx, decrypt_sp + ETHER_HDRLEN + olen, &olen_final) != 1) {
+ EVP_CIPHER_CTX_cleanup(&ctx);
+ return 0;
+ }
+ EVP_CIPHER_CTX_cleanup(&ctx);
+ olen = olen + olen_final;
+ pad = decrypt_sp[ETHER_HDRLEN + olen - 2];
+ next_hdr = decrypt_sp[ETHER_HDRLEN + olen - 1];
+ olen = olen - pad - 2; /* Remove Pad, Pad Length and Next Hdr */
+
+
+/* Fixup the IP Header */
+
+ decrypt_ip_h = (struct ip *)(decrypt_sp + ETHER_HDRLEN);
+
+ decrypt_ip_h->ip_vhl = ip_h->ip_vhl;
+ decrypt_ip_h->ip_tos = ip_h->ip_tos;
+ decrypt_ip_h->ip_len = htons(olen);
+ decrypt_ip_h->ip_off = ip_h->ip_off;
+ decrypt_ip_h->ip_sum = 0x0000;
+ decrypt_ip_h->ip_sum = htons(ip_cksum(20, (u_char *)decrypt_ip_h));
+
+ decrypt_h->len = olen + ETHER_HDRLEN;
+ decrypt_h->caplen = olen + ETHER_HDRLEN;
+
+ return (1);
+
+}
+
+
+u_int16_t ip_cksum(u_int16_t len, u_char buff[]) {
+
+u_int16_t word16;
+u_int32_t sum=0;
+u_int16_t i;
+
+// make 16 bit words out of every two adjacent 8 bit words in the packet and add them up
+ for (i=0;i<len;i=i+2) {
+ word16 =((buff[i]<<8)&0xFF00)+(buff[i+1]&0xFF);
+ sum = sum + (u_int32_t) word16;
+ }
+
+// take only 16 bits out of the 32 bit sum and add up the carries
+ while (sum>>16)
+ sum = (sum & 0xFFFF)+(sum >> 16);
+
+// one's complement the result
+ sum = ~sum;
+
+ return ((u_int16_t) sum);
+}
+
+
+#endif // End ifdef HAVE_LIBCRYPTO
diff -rupN tcpdump-org/tcpdump.c tcpdump/tcpdump.c
--- tcpdump-org/tcpdump.c 2011-10-31 15:26:18.657904541 +0000
+++ tcpdump/tcpdump.c 2011-10-31 15:32:57.282095007 +0000
@@ -97,6 +97,8 @@ static int Jflag; /* list available ti
#endif
static char *zflag = NULL; /* compress each savefile using a specified command (like gzip or bzip2) */
+static int decrypt_esp_flag;
+
static int infodelay;
static int infoprint;
@@ -727,6 +729,7 @@ main(int argc, char **argv)
warning("crypto code not compiled in");
#endif
gndo->ndo_espsecret = optarg;
+ decrypt_esp_flag++;
break;
case 'f':
@@ -1571,6 +1574,8 @@ static void
dump_packet_and_trunc(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
{
struct dump_info *dump_info;
+ struct pcap_pkthdr decrypt_h;
+ u_char decrypt_sp[1500];
++packets_captured;
@@ -1681,6 +1686,11 @@ dump_packet_and_trunc(u_char *user, cons
}
pcap_dump((u_char *)dump_info->p, h, sp);
+ if (decrypt_esp_flag) {
+ if (esp_decrypt(user, h, sp, &decrypt_h, &decrypt_sp) == 1) {
+ pcap_dump(user, &decrypt_h, decrypt_sp);
+ }
+ }
#ifdef HAVE_PCAP_DUMP_FLUSH
if (Uflag)
pcap_dump_flush(dump_info->p);
@@ -1694,11 +1704,18 @@ dump_packet_and_trunc(u_char *user, cons
static void
dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
{
- ++packets_captured;
+ struct pcap_pkthdr decrypt_h;
+ u_char decrypt_sp[1500];
+ ++packets_captured;
++infodelay;
pcap_dump(user, h, sp);
+ if (decrypt_esp_flag) {
+ if (esp_decrypt(user, h, sp, &decrypt_h, &decrypt_sp) == 1) {
+ pcap_dump(user, &decrypt_h, decrypt_sp);
+ }
+ }
#ifdef HAVE_PCAP_DUMP_FLUSH
if (Uflag)
pcap_dump_flush((pcap_dumper_t *)user);
