locked
NetMon and IPSec RRS feed

  • Question

  • Hi,

    I took some network capture between two local machines. In netmon, I can see that it parses the packs fine (IP->ESP->TCP). I can even see the TCP data. I am not familiar with IPSec, but have the general notion that with IPSec, the next protocol TCP data is encrypted. So I am a little surprised that we can see the TCP data decrypted.  Does the netmon indeed decrypts the data? How does it do it?

    Now I also has a capture from a customer and the trace captures IPSec data as well. When I open the trace on my machine, I am not able to the clear TCP data. The TCP data appears encrypted. Now the question is whether the trace must be opened on the local server in order to see the clear TCP data. Or I am missing some steps here that causes me not able to see the clear TCP data?

    Thanks.

    Tuesday, February 15, 2011 8:21 PM

Answers

  • Hi XGan,

    Network Monitor does not decrypt IPSec traffic. 

    Could it be possible that your machine is only using IPSec for authentication and not for the payloads? 

    I'm not an expert in IPSec myself, but Network Monitor should be showing you just what's on the wire away from where IPSec has been encrypted/decrypted on your machine's stack.


    Michael Hawker | Program Manager | Network Monitor
    • Marked as answer by XGan Sunday, February 20, 2011 6:11 AM
    Tuesday, February 15, 2011 10:33 PM
  • IPSec can be configured to encrypt or not.  So in your first scenario you probably aren't using encyprting and that's why you can see the data.

    Thanks,

    Paul

    • Marked as answer by XGan Sunday, February 20, 2011 6:11 AM
    Tuesday, February 15, 2011 10:58 PM

All replies

  • Hi XGan,

    Network Monitor does not decrypt IPSec traffic. 

    Could it be possible that your machine is only using IPSec for authentication and not for the payloads? 

    I'm not an expert in IPSec myself, but Network Monitor should be showing you just what's on the wire away from where IPSec has been encrypted/decrypted on your machine's stack.


    Michael Hawker | Program Manager | Network Monitor
    • Marked as answer by XGan Sunday, February 20, 2011 6:11 AM
    Tuesday, February 15, 2011 10:33 PM
  • IPSec can be configured to encrypt or not.  So in your first scenario you probably aren't using encyprting and that's why you can see the data.

    Thanks,

    Paul

    • Marked as answer by XGan Sunday, February 20, 2011 6:11 AM
    Tuesday, February 15, 2011 10:58 PM