Ipdecap

Overview

Ipdecap can decapsulate traffic encapsulated within GRE, IPIP, 6in4, ESP (ipsec) protocols, and can also remove IEEE 802.1Q (virtual lan) header.

It reads packets from an pcap file, removes the encapsulation protocol, and writes them to another pcap file.

Goals are:

  • Extract encapsulated tcp flow to analyze them with conventional tcp tools (tcptrace, tcpflow, …)
  • Reduce pcap files size by removing encapsulation protocol

Ipdecap was first written to analyze a strange tcp behavior encapsulated by ESP, without intervention on vpn endpoints.

Illustrations

      GRE packet
   +----------------+
   |   IP header    |
   +----------------+
   |   GRE header   |
   +----------------+
   |+--------------+|                            +--------------+
   ||  IP header   ||                            |  IP header   |
   |+--------------+|  +-------ipdecap-------->  +--------------+
   ||   Payload    ||                            |   Payload    |
   |+--------------+|                            +--------------+
   +----------------+
IPSec packet (tunnel mode)
   +----------------+
   |   IP header    |
   +----------------+
   |   ESP header   |
   +----------------+
   |+--------------+|                            +--------------+
   ||  IP header   ||                            |  IP header   |
   |+--------------+|  +-------ipdecap-------->  +--------------+
   ||   Payload    ||                            |   Payload    |
   |+--------------+|                            +--------------+
   +----------------+
   |  ESP trailer   |
   +----------------+
   |    ESP auth    |
   +----------------+

Using Wireshark, before and after processing by ipdecap:

  • (blue) pcap metadata + ethernet header: copied to output file
  • (red) Encapsulation protocol (ESP): discarded
  • (green) Payload (tcp packet), decrypted (keys provided by configuration file) the copie to output file

Use

  • Command line:
    • A source pcap file
    • An output pcap file
    • A configuration file to decrypt ESP packets
    • Maybe a bpf filter to limit packets to process.
Ipdecap 0.5, decapsulate GRE, IPIP, 6in4, ESP packets, remove 802.1Q header - Loic Pefferkorn
Usage
    ipdecap [-v] [-l] [-V] -i input.cap -o output.cap [-c esp.conf] [-f <bpf filter>] 
Options:
  -c, --conf     configuration file for ESP parameters (IP addresses, algorithms, ... (see man ipdecap)
  -h, --help     this help message
  -i, --input    pcap file to process
  -o, --output   pcap file with decapsulated data
  -f, --filter   only process packets matching the bpf filter
  -l, --list     list availables ESP encryption and authentication algorithms
  -V, --version  print version
  -v, --verbose  verbose
  • To process GRE, IPIP, 6in4 and 802.1Q protocols, only -i and -o parameters are mandatory

Examples

  • Remove GREP encapsulation from packets located in gre.cap file, and write them in output.cap
ipdecap -i gre.cap -o output.cap
  • Remove ESP encapsulation, configuration in esp.conf
ipdecap -i esp.cap -o output.cap -c esp.conf
  • Remove IPIP encapsulation, but only for traffic between 192.168.2.100 and 192.168.2.101
ipdecap -i ipip.cap -o output.cap -f "src 192.168.2.100 and dst 192.168.2.101

ESP configuration file

  • Text file with informations needed to decrypt ESP packets. (hosts, algorithms, keys, spi)

Format

  • A line per flow
<ip a> <ip b> <encryption algorithm> <authentication algorithm> <key (hexadecimal)> <spi (hexadecimal)
  • Separator is tabulation or space

Examples

  • 3des-cbc encryption, hmac_sha1-96 authentication, between 192.168.0.1 and 192.168.0.99, bi-directionnal decryption
192.168.0.1	192.168.0.9	3des-cbc hmac_sha1-96	0x621b2908eb34d1e99198dd889d3deca765311a0867baf785 0x0e021431
192.168.0.9	192.168.0.1	3des-cbc hmac_sha1-96	0x1b88f80580e87106d776cb1bfe051509e690826480f72cef 0x066a6d95

Installation

Dependances

Compilation

wget https://github.com/lpefferkorn/ipdecap/archive/v0.7.tar.gz
tar xvzf v0.7.tar.gz
cd ipdecap-0.7
sh autogen.sh
./configure
make
make install

Bugs

Limitations

  • ESP transport mode not supported

Supported encapsulation protocols

  • GRE
  • IPIP
  • 6in4 (IPv6 encapsulated within IPv4)
  • ESP (ipsec, tunnel mode)

ESP algorithms

  • (crypt) des-cbc 3des-cbc aes128-cbc aes128-ctr null_enc
  • (auth) hmac_md5-96 hmac_sha1-96 aes_xcbc_mac-96 null_auth any96 any128 any160 any192 any256 any384 any512

Platforms tested

  • Linux i686/amd64
  • FreeBSD-9.2 - amd64

Notes

  • ipdecap was tested on a limited number of captures, and I will be very happy to have any feedback
  • To get ESP informations:

Freebsd

$ setkey -Da
192.168.2.100 192.168.2.101                                                    <---- <ip a> 192.168.2.100 <ip b> 192.168.2.101
	esp mode=tunnel spi=91789053(0x057896fd) reqid=0(0x00000000)           <---- <spi> 0x057896fd
	E: 3des-cbc  6ca63e7e 4473684e 93b4868e 0ff41562 ba06f7d1 86ef2922     <---- <crypt> 3des-cbc  <key> 0x6ca63e7e4473684e...
	A: hmac-sha1  0dc52bea 9666ac07 41014f3e 345ebd33 3d6ab85f             <---- <auth> hmac-sha1
	seq=0x000c06d3 replay=4 flags=0x00000000 state=mature 
	created: Apr  5 22:20:37 2012	current: Apr  5 22:43:29 2012
	diff: 1372(s)	hard: 36000(s)	soft: 28800(s)
	last: Apr  5 22:43:29 2012	hard: 0(s)	soft: 0(s)
	current: 87237648(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 788179	hard: 0	soft: 0
	sadb_seq=1 pid=1246 refcnt=2
192.168.2.101 192.168.2.100
	esp mode=tunnel spi=87014357(0x052fbbd5) reqid=0(0x00000000)
	E: 3des-cbc  33e9b962 a6938efd 4c1dd1df 3f63482f ae254d18 9e329020
	A: hmac-sha1  b243f963 df27ed30 a62682d0 8c2617e6 34f8a39f
	seq=0x001235b0 replay=4 flags=0x00000000 state=mature 
	created: Apr  5 22:20:37 2012	current: Apr  5 22:43:29 2012
	diff: 1372(s)	hard: 36000(s)	soft: 28800(s)
	last: Apr  5 22:43:29 2012	hard: 0(s)	soft: 0(s)
	current: 1628123122(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 1193392	hard: 0	soft: 0
	sadb_seq=0 pid=1246 refcnt=1
  • ESP configuration file may be generated from setkey -Da output using the provided sadb2conf.awk
$ setkey -Da | ./sadb2conf.awk > configuration.file

Author