I'm currently working on implementing support for hardware cryptographic engine on a board we support at work. Currently it is not working and I was trying to debug it, thus trying to see what is happening. I tcpdumped the packets received, and tried to have a look at it. Sadly, for some reason, the SAs I added in wireshark do not match and he doesn't want to use them.
I then discovered that scapy now has support for that, and it was actually added by a colleague... Should have started there! I only found the issues on bitbucket showing how to use it so I thought it would be worth it to write a quick how-to, once got it down it is pretty straightforward, but knowing what to look for may not be obvious in the first place.
So here is a an example usage for an AES-CBC with no auth packet:
pkts = rdpcap("path/to/file.pcap")
pkts[0].show()
Here is the ESP packet:
###[ Ethernet ]###
dst= 56:1e:7d:aa:e0:b3
src= 68:05:ca:15:d1:99
type= IPv4
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 140
id= 0
flags= DF
frag= 0L
ttl= 64
proto= esp
chksum= 0x2544
src= 10.125.0.2
dst= 10.125.0.1
\options\
###[ ESP ]###
spi= 0x22
seq= 1
data= '\xa7\[...]'
Then create the SA and decrypt:
sa = SecurityAssociation(ESP, spi=0x22, crypt_algo='AES-CBC', crypt_key='your_key')
res = sa.decrypt(pkts[0].getlayer(IP))
res.show()
The result showing the icmp packet:
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 104
id= 0
flags= DF
frag= 0L
ttl= 64
proto= ipv4
chksum= 0x2596
src= 10.125.0.2
dst= 10.125.0.1
\options\
###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 84
id= 36470
flags= DF
frag= 0L
ttl= 63
proto= icmp
chksum= 0x9805
src= 10.200.0.1
dst= 10.100.0.1
\options\
###[ ICMP ]###
type= echo-request
code= 0
chksum= 0x7cd1
id= 0x9df
seq= 0x1
###[ Raw ]###
load= '\x9fTMW[...]'
And here you go.