Ipdecap: remove encapsulation from pcap packets
[Version française] (/ipdecap-fr) 
Overview
Ipdecap can decapsulate traffic encapsulated within GRE, IPIP, 6in4, ESP (ipsec) protocols, and can also remove IEEE 802.1Q (virtual lan) header.
It reads packets from an pcap file, removes the encapsulation protocol, and writes them to another pcap file.
Goals are:
- Extract encapsulated tcp flows to analyze them with conventional tcp tools (tcptrace, tcpflow, …)
- Reduce pcap files size by removing encapsulation protocol
Ipdecap was written to analyze a strange behavior of a tcp flow encapsulated by ESP, without access to vpn endpoints.
Download
Development
- GitHub project for patchs, bugs, …
- Please provide a pcap file and ESP configuration file if any
Illustrations
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
GRE packet
+----------------+
| IP header |
+----------------+
| GRE header |
+----------------+
|+--------------+| +--------------+
|| IP header || | IP header |
|+--------------+| +-------ipdecap--------> +--------------+
|| Payload || | Payload |
|+--------------+| +--------------+
+----------------+
IPSec packet (tunnel mode)
+----------------+
| IP header |
+----------------+
| ESP header |
+----------------+
|+--------------+| +--------------+
|| IP header || | IP header |
|+--------------+| +-------ipdecap--------> +--------------+
|| Payload || | Payload |
|+--------------+| +--------------+
+----------------+
| ESP trailer |
+----------------+
| ESP auth |
+----------------+
|
Using Wireshark, before and after processing by ipdecap:
- (blue) pcap metadata + ethernet header: copied to output file
- (red) Encapsulation protocol (ESP): discarded
- (green) Payload (tcp packet), decrypted (keys provided by configuration file) the copie to output file
Usage
Command line parameters:
- A source pcap file
- An output pcap file
- A configuration file to decrypt ESP packets
- Maybe a bpf filter to limit packets to process.
1
2
3
4
5
6
7
8
9
10
11
12
|
Ipdecap 0.5, decapsulate GRE, IPIP, 6in4, ESP packets, remove 802.1Q header - Loic Pefferkorn
Usage
ipdecap [-v] [-l] [-V] -i input.cap -o output.cap [-c esp.conf] [-f <bpf filter>]
Options:
-c, --conf configuration file for ESP parameters (IP addresses, algorithms, ... (see man ipdecap)
-h, --help this help message
-i, --input pcap file to process
-o, --output pcap file with decapsulated data
-f, --filter only process packets matching the bpf filter
-l, --list list availables ESP encryption and authentication algorithms
-V, --version print version
-v, --verbose verbose
|
- To process GRE, IPIP, 6in4 and 802.1Q protocols, only -i and -o parameters are mandatory
Examples
- Remove GREP encapsulation from packets located in gre.cap file, and write them in output.cap
1
|
$ ipdecap -i gre.cap -o output.cap
|
- Remove ESP encapsulation, configuration in esp.conf
1
|
$ ipdecap -i esp.cap -o output.cap -c esp.conf
|
- Remove IPIP encapsulation, but only for traffic between 192.168.2.100 and 192.168.2.101
1
|
$ ipdecap -i ipip.cap -o output.cap -f "src 192.168.2.100 and dst 192.168.2.101
|
ESP configuration file
Text file with informations needed to decrypt ESP packets. (hosts, algorithms, keys, spi)
A line per flow as follow:
1
|
ip_a ip_b encryption-algorithm authentication-algorithm key-hex spi-hex
|
Separator is tabulation or space
Examples
For 3des-cbc encryption, hmac_sha1-96 authentication, between 192.168.0.1 and 192.168.0.99, bi-directionnal decryption
1
2
|
192.168.0.1 192.168.0.9 3des-cbc hmac_sha1-96 0x621b2908eb34d1e99198dd889d3deca765311a0867baf785 0x0e021431
192.168.0.9 192.168.0.1 3des-cbc hmac_sha1-96 0x1b88f80580e87106d776cb1bfe051509e690826480f72cef 0x066a6d95
|
Installation
Dependances
- Autotools packages (autoconf, automake, libtool) (distribution specific)
- Openssl
- Libpcap
Compilation
No packages available at the moment, you need to compile ipdecap from source:
1
2
3
4
5
6
7
|
wget https://loicpefferkorn.net/ipdecap/ipdecap-0.7.tar.gz
tar xvzf ipdecap-0.7.tar.gz
cd ipdecap-0.7
sh autogen.sh
./configure
make
make install
|
Notes
Ipdecap was tested on a limited number of captures, and I will be very happy to have any feedback
Limitations
ESP transport mode not supported
Supported protocols
Encapsulation
- GRE
- IPIP
- 6in4 (IPv6 encapsulated within IPv4)
- ESP (ipsec, tunnel mode)
ESP algorithms
- (crypt) des-cbc 3des-cbc aes128-cbc aes128-ctr null_enc
- (auth) hmac_md5-96 hmac_sha1-96 aes_xcbc_mac-96 null_auth any96 any128 any160 any192 any256 any384 any512
- Linux i686/amd64
- FreeBSD-9.2 - amd64
Freebsd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
$ setkey -Da
192.168.2.100 192.168.2.101 <---- <ip a> 192.168.2.100 <ip b> 192.168.2.101
esp mode=tunnel spi=91789053(0x057896fd) reqid=0(0x00000000) <---- <spi> 0x057896fd
E: 3des-cbc 6ca63e7e 4473684e 93b4868e 0ff41562 ba06f7d1 86ef2922 <---- <crypt> 3des-cbc <key> 0x6ca63e7e4473684e...
A: hmac-sha1 0dc52bea 9666ac07 41014f3e 345ebd33 3d6ab85f <---- <auth> hmac-sha1
seq=0x000c06d3 replay=4 flags=0x00000000 state=mature
created: Apr 5 22:20:37 2012 current: Apr 5 22:43:29 2012
diff: 1372(s) hard: 36000(s) soft: 28800(s)
last: Apr 5 22:43:29 2012 hard: 0(s) soft: 0(s)
current: 87237648(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 788179 hard: 0 soft: 0
sadb_seq=1 pid=1246 refcnt=2
192.168.2.101 192.168.2.100
esp mode=tunnel spi=87014357(0x052fbbd5) reqid=0(0x00000000)
E: 3des-cbc 33e9b962 a6938efd 4c1dd1df 3f63482f ae254d18 9e329020
A: hmac-sha1 b243f963 df27ed30 a62682d0 8c2617e6 34f8a39f
seq=0x001235b0 replay=4 flags=0x00000000 state=mature
created: Apr 5 22:20:37 2012 current: Apr 5 22:43:29 2012
diff: 1372(s) hard: 36000(s) soft: 28800(s)
last: Apr 5 22:43:29 2012 hard: 0(s) soft: 0(s)
current: 1628123122(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1193392 hard: 0 soft: 0
sadb_seq=0 pid=1246 refcnt=1
|
ESP configuration file may be generated from setkey -Da output using the provided sadb2conf.awk
1
|
$ setkey -Da | ./sadb2conf.awk > configuration.file
|
Author
Loïc Pefferkorn loic-ipdecap@ at this site
