decrypting ESP packets with 'none' algorithm does not work #1393
Description
tcpdump with -E option should be able to decode ESP packets without encryption, but it causes a warning and tcpdump won't decode them.
steps to reproduce
This pcap file contains bunch of unencrypted esp packets that includes ICMP6 echo packets.
Wireshark Screenshot
> git log --oneline -n 1
ec3814c3 (HEAD -> master, origin/master, origin/HEAD) CHANGES: Synchronise the 4.99.6 section. [skip ci]
> git status
On branch master
Your branch is up to date with 'origin/master'.
nothing to commit, working tree clean
> make
make: Nothing to be done for 'all'.
> ./tcpdump --version
tcpdump version 5.0.0-PRE-GIT
libpcap version 1.10.5 (with TPACKET_V3)
OpenSSL 3.6.0 1 Oct 2025
64-bit build, 64-bit time_t
> ./tcpdump -r ~/ipsec.pcap -E '0xc8cee146@fd00:a1::2 none-hmac96:,0xc9c1fe23@fd00:a2::2 none-hmac96:'
reading from file /home/kawak/ipsec.pcap, link-type EN10MB (Ethernet), snapshot length 262144
tcpdump: WARNING: failed to find cipher algo none
tcpdump: WARNING: failed to find cipher algo none
02:03:48.270259 IP6 fd00:a2::2 > fd00:a1::2: ESP(spi=0xc8cee146,seq=0x510), length 128
02:03:48.270349 IP6 fd00:a1::2 > fd00:a2::2: ESP(spi=0xc9c1fe23,seq=0x510), length 128
02:03:49.294245 IP6 fd00:a2::2 > fd00:a1::2: ESP(spi=0xc8cee146,seq=0x511), length 12
... omitted ...
additional observations
There are several algorithms mentioned on manpages -E option section:
Algorithms may be des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or none. The default is des-cbc. The ability to decrypt packets is only present if tcpdump was compiled with cryptography enabled.
However when I test them:
> tcpdump -r ~/ipsec.pcap -E '0xc8cee146@fd00:a1::2 des-cbc:' > /dev/null
reading from file /home/kawak/ipsec.pcap, link-type EN10MB (Ethernet), snapshot length 262144
zsh: floating point exception (core dumped) tcpdump -r ~/ipsec.pcap -E '0xc8cee146@fd00:a1::2 des-cbc:' > /dev/null
> tcpdump -r ~/ipsec.pcap -E '0xc8cee146@fd00:a1::2 3des-cbc:' > /dev/null
reading from file /home/kawak/ipsec.pcap, link-type EN10MB (Ethernet), snapshot length 262144
> tcpdump -r ~/ipsec.pcap -E '0xc8cee146@fd00:a1::2 blowfish-cbc:' > /dev/null
reading from file /home/kawak/ipsec.pcap, link-type EN10MB (Ethernet), snapshot length 262144
zsh: floating point exception (core dumped) tcpdump -r ~/ipsec.pcap -E '0xc8cee146@fd00:a1::2 blowfish-cbc:' > /dev/null
> tcpdump -r ~/ipsec.pcap -E '0xc8cee146@fd00:a1::2 rc3-cbc:' > /dev/null
reading from file /home/kawak/ipsec.pcap, link-type EN10MB (Ethernet), snapshot length 262144
tcpdump: WARNING: failed to find cipher algo rc3
> tcpdump -r ~/ipsec.pcap -E '0xc8cee146@fd00:a1::2 cast128-cbc:' > /dev/null
reading from file /home/kawak/ipsec.pcap, link-type EN10MB (Ethernet), snapshot length 262144
tcpdump: WARNING: failed to find cipher algo cast128
> tcpdump -r ~/ipsec.pcap -E '0xc8cee146@fd00:a1::2 none:' > /dev/null
reading from file /home/kawak/ipsec.pcap, link-type EN10MB (Ethernet), snapshot length 262144
tcpdump: WARNING: failed to find cipher algo none
So maybe there are 2 problems:
- wrong specification of encryption algorithm sometimes causes segfault.
- rc3, cast128, none algorithms are not even recognized. I'm not sure whether this is documentation error or software bug. Looks like there is a workaround performed for 3des that might be related to this issue.