Using Ethereal to sniff IPSec

[s0n|k]

I can't figure out how to use Ethereal to detect if IPSec is being used or not. I can't find a filter for it and it isn't listed in the list of protocols, however AH and ESP are there but I can't figure out how to use them correctly. Basically I have IPSec turned on a couple of computers and I want to sniff the packets to look at the IPSec data. Any help would be appreciated.

[cyberinstru]

Have you got any virtual interface for ipsec available... (eg. ipsec0, ipsec1...)

If yes, you can sniff traffic on that ipsecX interface...

All the traffic coming out of that ipsecX interface belongs to IPSec.


If you dnt have virtual interface (ipsecX), then your kernel supports PF_KEY, ie., native IPSec stack.

If that is the case, u can use filters "esp or ah or dst port 500" and sniff packets . But after you cannot classify plain traffic as IPSec traffic on kernel with native IPSec stack support..

[s0n|k]

I'm extremely interested in setting up a virtual device for IPSec but I didn't know that I could. Are the steps to do so easy to explain? I'm using RHEL4

[cyberinstru]

http://wiki.openswan.org/index.php/O...n/BuildCompile

hve a look into it...

gud luk