Does tcpdump support filtering by ESP traffic (proto 50) with a particular SPI value?
It displays this value, so you would think this is possible!
21:15:23.143805 IP 64.7.134.1 > 64.7.139.200: ESP(spi=0x0d8f42b8,seq=0x27)
It should be possible with a filter such as "ip proto 50 and ip[((ip[0]&0x0f)<<2):4]==0x0d8f42b8"
... which breaks down as:
ip proto 50: All ESP packets. (Note that with newer versions of tcpdump it is apparently possible to specify ip proto esp instead.)and that also match a specific spi
ip[0]&0x0f: The number of 32-bit words of the IP header((ip[0]&0x0f)<<2): The offset to the ESP payload and spi fieldip[((ip[0]&0x0f)<<2):4]: The 4 bytes comprising the spi fieldip[((ip[0]&0x0f)<<2):4]==0x0d8f42b8: A spi field that matches the hexadecimal value 0x0d8f42b8It might be tempting to just use a simplified filter of ip[20:4]==0x0d8f42b8, but that assumes fixed-size IP headers with the default IP header size of 20 bytes. I suppose if you know your IP headers are definitely 20 bytes, then it's OK to use, but I think it's much safer never to make that assumption.