isakmp packet on port 8500

Discussion:

Perry Smith

2014-05-08 23:16:00 UTC

Hi,

AIX sends its isakmp packet on port 8500 instead of 500. Well... it sorta does both.

In any case, if the packet is on port 500, wireshark marks the protocol as isakmp and decodes the payload. If the packet is on port 8500, then the ethernet, IP, and UDP parts are decoded but not the isakmp part. Is that because of the port number or is it because the packet is not really properly formatted? I can't find a user config option that is set to 500.

# Set the port for IPSEC/ISAKMP messagesIf other than the default of 10000)
# A decimal number
# tcpencap.tcp.port: 10000

Evan Huus

2014-05-08 23:25:10 UTC

Permalink

Post by Perry Smith
Hi,
AIX sends its isakmp packet on port 8500 instead of 500. Well... it sorta does both.
In any case, if the packet is on port 500, wireshark marks the protocol as
isakmp and decodes the payload. If the packet is on port 8500, then the
ethernet, IP, and UDP parts are decoded but not the isakmp part. Is that
because of the port number or is it because the packet is not really
properly formatted? I can't find a user config option that is set to 500.

# Set the port for IPSEC/ISAKMP messagesIf other than the default of

10000)

# A decimal number
# tcpencap.tcp.port: 10000

Based on the code I'm guessing port number (it looks like ISAKMP is
hard-coded to 500) but you can find out by right-clicking on an undecoded
payload and using "Decode As..." to force the matter.

Evan

Post by Perry Smith
Thank you,
Perry Smith
___________________________________________________________________________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
?subject=unsubscribe

Perry Smith

2014-05-08 23:31:04 UTC

Permalink

Post by Perry Smith
Hi,
AIX sends its isakmp packet on port 8500 instead of 500. Well... it sorta does both.
In any case, if the packet is on port 500, wireshark marks the protocol as isakmp and decodes the payload. If the packet is on port 8500, then the ethernet, IP, and UDP parts are decoded but not the isakmp part. Is that because of the port number or is it because the packet is not really properly formatted? I can't find a user config option that is set to 500.

# Set the port for IPSEC/ISAKMP messagesIf other than the default of 10000)
# A decimal number
# tcpencap.tcp.port: 10000

but when I set that to 8500, it doesn't make a difference that I can see.
I'm fighting two unknowns. Are my isakmp packets bad and that is why wireshark is not formatting them or is it because they are on port 8500 instead of 500?
Based on the code I'm guessing port number (it looks like ISAKMP is hard-coded to 500) but you can find out by right-clicking on an undecoded payload and using "Decode As..." to force the matter.

Excellent. That was the hint I needed. (I'm somewhat novice at wireshark)

Thank you very much
Perry

Post by Perry Smith
Evan
Thank you,
Perry Smith
___________________________________________________________________________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
___________________________________________________________________________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

Stuart Kendrick

2014-05-09 12:21:01 UTC

Permalink

I claim (the term 'claim' in my lingo means: take what I say with
increased skepticism) that Wireshark figures out which decoder to
apply by looking at udp/tcp port numbers and consulting an internal
look-up table. I'm unclear how to examine that look-up table, but I
suspect we can peek at inputs to it via items like Edit, Preferences,
Protocols, HTTP, TCP Ports:
80,3128,3132,5985,8080,8088,11371,1900,2869,2710 [Although I see
nothing similar for ... Protocols, ISAKMP]

And thus that Wireshark will not apply its ISAKMP decoder to an ISAKMP
frame slotted into a port other than 500.

Which is where the Analyze, Decode As... feature comes into play.
Give that a try, see how Wireshark then portrays your port 8500
traffic.

Looks like one can even save such choices:

"Once you added one or more "Decode As..." definitions, go to "Analyze
-> User Defined Decodes..." and choose "Save". This will save these
"Decode As..." definitions in your current configuration profile. So
you can even have a different set of custom port mappings for
different setups by defining multiple configuration profiles."
http://ask.wireshark.org/questions/14213/protocol-port-change-or-port-adding-in-wireshark

I have not done this myself, but it sounds coherent.

hth,

--sk

Post by Perry Smith
Hi,
AIX sends its isakmp packet on port 8500 instead of 500. Well... it sorta does both.
In any case, if the packet is on port 500, wireshark marks the protocol as isakmp and decodes the payload. If the packet is on port 8500, then the ethernet, IP, and UDP parts are decoded but not the isakmp part. Is that because of the port number or is it because the packet is not really properly formatted? I can't find a user config option that is set to 500.

# Set the port for IPSEC/ISAKMP messagesIf other than the default of 10000)
# A decimal number
# tcpencap.tcp.port: 10000

but when I set that to 8500, it doesn't make a difference that I can see.
I'm fighting two unknowns. Are my isakmp packets bad and that is why wireshark is not formatting them or is it because they are on port 8500 instead of 500?
Thank you,
Perry Smith
___________________________________________________________________________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe