Subject: Re: Take #3 - final proposed patch for ipsec/bpf/ipfilter integration
To: YAMAMOTO Takashi <>
From: Curt Sampson <>
List: tech-net
Date: 05/14/2003 14:01:54
On Wed, 14 May 2003, YAMAMOTO Takashi wrote:

> tcpdump can decode ESP by itsself and i think it should if needed.

Using tcpdump's -E option is, in the large majority of cases,
impractical. First, it can take only ASCII keys, restricting you to
using a small portion of the keyspace. Second, if you're using IKE it
can be difficult or impossible to find out the key currently in use.
And, of course, you have to expose your key to anybody else using that
machine in order to use tcpdump's decryption.

Also, using tcpdump before ipsec processing doesn't help if you want to
see if the kernel is correctly decrypting the packets.

> i don't think that ipfilter and tcpdump should use the same mechanism
> to solve this "problem".

Why not? I'd rather see a generic mechanism that will solve the problem
for all programs than write an individual program-specific mechanism for
every single program out there.

Note, for example, that tcpdump is hardly the only program that uses
BPF. What if I want to do a netflow analysis? Or use ntop?

Curt Sampson  <>   +81 90 7737 2974
    Don't you know, in this new Dark Age, we're all light.  --XTC