Ethereal

[Ethereal-users] ISAKMP Packets incorrectly decoded
Google
 
Web Ethereal.com

Home | Introduction | Documentation | Lists | FAQ | Development | Wiki | Bugs

Main Index | Thread Index | Mailing Lists | | Date Prev | Date Next | Thread Prev | Thread Next

Ethereal-users: November 2003

In doing some testing of IKE daemons for Linux, I have run into the following problem. Occassionally, ethereal and tethereal will incorrectly decode an ISAKMP packet (Identity Protection Mode, Quick Mode, or Aggressive Mode). The protocol is correct. However, the information field says "UDP Encapsulated IPSec - NAT Keepalive". tcpdump does decode these packets correctly though.

The problem seems to occur more frequently when there are many ISAKMP packets being exchanged. When it does occur, it usually occurs for an entire phase 1 and phase 2 exchange for those source and destinatoin addresses. Sometimes it will occur on subsequent exchanges.

I have attached a packet capture in which this problem occurs. The first six packets are Identity Protection Mode packets, and the last 6 are Quick Mode packets. These packets came from a larger capture of many more packets, some of which were decoded correctly and some of which were not. I can provide this capture if desired.

Ethereal version: 0.9.16
tcpdump and libpcap version: 0.7.2

Is there any way to work around this problem? Thanks.

Brian Buesker

Attachment: isakmpd-udp.pcap
Description: Binary data

Powered by MHonArc 2.6.10

Please send support questions about Ethereal to the ethereal-users[AT]ethereal.com mailing list.
For corrections/additions/suggestions for this web page (and not Ethereal support questions), please send email to ethereal-web[AT]ethereal.com.
Last modified: Fri, November 10 2006.
"Ethereal" and the "e" logo are registered trademarks of Ethereal, Inc.