Screen OS

Hello,

Wireshark is unable to open the snoop detail captured on tunnel interface :

2530000.0: tunnel.50(it) vpn=AU-4350-vpn type=ipsec proto=0x0800
              10.10.10.1 -> 224.0.0.5/89
              vhl=45, tos=c0, id=520, frag=0000, ttl=1 tlen=228
              ospf:ver=2, type=1, len=208
              45 c0 00 e4 da 0c 00 00 01 59 77 c8 0a a6 7b 81     E........Yw...{.
              e0 00 00 05 02 01 00 d0 0a a6 91 c1 00 00 00 00     ................
              a4 16 00 00 00 00 00 00 00 00 00 00 ff ff ff 80     ................
              00 0a 02 01 00 00 00 28 00 00 00 00 00 00 00 00     .......(........
              0a a6 7b be 0a a6 7b 9b 0a a6 7b b1 cb d0 41 03     ..{...{...{...A.
              0a a6 7b 8c 0a a6 7b 82 c0 a8 19 fe 0a a6 7b 8f     ..{...{.......{.
              ac 2b 05 01 0a a6 7b 8a 0a a6 7b a2 0a a6 7b a0     .+....{...{...{.
              cb 2d af 8d 0a a6 7b 9e 0a a6 7b 83 0a a6 7b 8e     .-....{...{...{.
              0a a6 7b 98 cb 2d cd 8d 0a a6 7b b7 0a a6 7b a9     ..{..-....{...{.
              0a a6 7b 90 0a a6 7b 91 cb d9 12 94 cb de 49 1e     ..{...{.......I.
              0a a6 7b 8d 0a a6 7b 95 0a a6 7b b5 0a a6 7b 87     ..{...{...{...{.
              0a a6 7b 8b c0 a8 16 fe 0a a6 7b 95 0a a6 7b ac     ..{.......{...{.
              0a a6 7b 94 c0 a8 17 fe c0 a8 1b fe cb c1 dc 37     ..{............7
              0a a6 7b a5 ac 10 04 fd 0a a6 7b a8 0a a6 7b a6     ..{.......{...{.
              0a a6 7b ae                                         ..{.       

Does anyone know about a work around on how to open this in wireshark.

Thanks in advance.

Regards
Sarab

Hi Sarab,

I did this as described in KB24992 and KB20562 and this worked.

Hi Edouard,

Thanks for the reply, however these KBs doesnt fulfill the purpose.

I was able to open individual packets however the data part is not showing the OSPF field separately.

However if you do a snoop for normal ethernet interface , it is opening fine :

84070.0: ethernet1/1(o) len=82:0010db8e74c7->01005e000005/0800
              11.10.1.2 -> 224.0.0.5/89
              vhl=45, tos=c0, id=1571, frag=0000, ttl=1 tlen=68
              ospf:ver=2, type=1, len=48
              01 00 5e 00 00 05 00 10 db 8e 74 c7 08 00 45 c0     ..^.......t...E.
              00 44 06 23 00 00 01 59 c6 6d 0b 0a 01 02 e0 00     .D.#...Y.m......
              00 05 02 01 00 30 0c 0a 01 02 00 00 00 01 cd 6b     .....0.........k
              00 00 00 00 00 00 00 00 00 00 ff ff ff 00 00 0a     ................
              00 01 00 00 00 28 0b 0a 01 01 0b 0a 01 02 0b 0a     .....(..........
              01 01                                               ..      

Regards

Sarab

I had asked this question on wireshark forum and got the following answer

"Looking a bit more thorough through the code, there is already support for WTAP_ENCAP_RAW_IP in epan/dissectors/packet-raw.c.

So actually adding support for netscreen snoop output for tunnel interfaces would involve changing wiretap/netscreen.c to:

• handle packet headers that do not contain a packet length
• add interpretation of raw ip packets and give them type WTAP_ENCAP_RAW_IP

That should not be too hard, but unfortunately my time is limited at the moment. I'll see if I can find some time the coming weeks."

So as of now wireshark desn't support snoop captured on tunnel interface, however as it appears from their reply we'll have this support soon.