[Ethereal-users] ISAKMP Packets incorrectly decoded

[Brian Buesker]

In doing some testing of IKE daemons for Linux, I have run into the following problem. Occassionally, ethereal and tethereal will incorrectly decode an ISAKMP packet (Identity Protection Mode, Quick Mode, or Aggressive Mode). The protocol is correct. However, the information field says "UDP Encapsulated IPSec - NAT Keepalive". tcpdump does decode these packets correctly though.

The problem seems to occur more frequently when there are many ISAKMP packets being exchanged. When it does occur, it usually occurs for an entire phase 1 and phase 2 exchange for those source and destinatoin addresses. Sometimes it will occur on subsequent exchanges.

I have attached a packet capture in which this problem occurs. The first six packets are Identity Protection Mode packets, and the last 6 are Quick Mode packets. These packets came from a larger capture of many more packets, some of which were decoded correctly and some of which were not. I can provide this capture if desired.

Ethereal version: 0.9.16
tcpdump and libpcap version: 0.7.2

Is there any way to work around this problem? Thanks.

Brian Buesker

isakmpd-udp.pcap
Description: Binary data