Test Center Network

Qualcomm Technologies, Inc.

June 2018

Decoding Encapsulating Security Payload

(ESP) Packets in Wireshark

All Qualcomm products mentioned herein are products of Qualcomm Technologies, Inc. and/or its subsidiaries.
Qualcomm is a trademark of Qualcomm Incorporated, registered in the United States and other countries. Other product and brand names may be trademarks or registered trademarks of
their respective owners.
This technical data may be subject to U.S. and international export, re-export, or transfer (“export”) laws. Diversion contrary to U.S. and international law is strictly prohibited.
Qualcomm Technologies, Inc.
5775 Morehouse Drive
San Diego, CA 92121
U.S.A.
© 2018 Qualcomm Technologies, Inc. and/or its subsidiaries. All rights reserved.
Contents
Overview 3
Capture Logs 4
Extract PCAP Logs from QXDM Pro Logs 6
Find Ck+Ik 7
Decode ESP Packets in Wireshark v1.6.5 9
Decode ESP Packets in Wireshark v1.8.5 10

MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 2

Overview

This tutorial describes how to view IPSec-encrypted SIP messages using Wireshark.
It discusses:
• Capturing QXDM Professional™ logs
• Extracting PCAP logs from the QXDM Pro logs
• Finding the ciphering key (Ck) and integrity key (Ik) within QXDM Pro logs
• Decoding ESP packets from PCAP logs in Wireshark using the Ck+Ik

MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 3

Capture Logs (1 of 2)

To decode ESP packets in Wireshark, appropriate logs must be captured.

Enable UIM Application Protocol Data Unit (APDU) log messages through QXDM Pro:
1. Select Options
> Message View Configuration
> Log Packets
> Common
> [0x1098] UIM Application Protocol Data Unit

MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 4

Capture Logs (2 of 2)

Enable Data Protocol Logging through QXDM Pro:

1. Select Options
> Log View Configuration
> Log Packets
> Known Log Items
> Common
> Data Services
> Data Protocol Logging

MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 5

Extract PCAP Logs from QXDM Pro Logs

1. Run PCAP Generator located at C:\Program Files

(x86)\Common Files\Qualcomm\PCAP Generator.exe.
2. Select the .isf file from which to generate PCAP logs.
3. Select the directory where PCAP logs will be saved.
4. Click OK.
5. When finished the message, PCAP Generation
completed successfully, will display.

NOTE: If extracted PCAP logs are displayed as malformed

packets due to truncation, then Data Protocol Logging was not
enabled properly.

MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 6

Find Ck+Ik (1 of 2)
The QTI IMS stack on the modem internally uses the MMGSDI API to perform ISIM authentication on the UICC card. The
following QXDM Pro log messages can be searched for the ISIM authentication command and UIM response. The
ciphering key (Ck) and integrity key (Ik) are contained within the UIM APDU.

• blue-highlighted text relates to the ciphering/encryption key

• green-highlighted text relates to the integrity/authentication key
• yellow-highlighted text identifies important parts of the log message

MSG User Identity Module/Medium 21:31:56.890 uimisim.c 00403 Received ISIM Authenticate command
2011 Sep 9 21:31:57.089 [10] 0x1098 RUIM Debug
RX C0 DB 08 96 05 59 36 56 0A 56 88 10 E5 24 14 98 66 F1 93 B2 A3 0E 43 4F A2 FB 16 9E 10 8D A7
F8 57 A0 2D 0A 3F C4 C9 9F 9B 76 E7 9D 43 90 00

Read the above UIM APDU as follows:

C0 – Get response
DB – Successful 3G authentication tag
08 – Length of XRES (expected response)
96 05 59 36 56 0A 56 88 – XRES
10 – Length of Ck
E5 24 14 98 66 F1 93 B2 A3 0E 43 4F A2 FB 16 9E – Ck
10 – Length of Ik
8D A7 F8 57 A0 2D 0A 3F C4 C9 9F 9B 76 E7 9D 43 – Ik
90 00 – Normal end of command
MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 7
Find Ck+Ik (2 of 2)
eStatus: 0 = MMGSDI_SUCCESS
eCnf: 5 = MMGSDI_ISIM_AUTH_CNF
MSG IMS/High 21:31:57.090 qpIsim.c 08783 qpDplProcessSessionCardEvent – eStatus: 0 eCnf: 5
MSG IMS/High 21:31:57.090 qpIsim.c 04514 qpAMSS_GetAuthResponse – Copied Resp
MSG IMS/High 21:31:57.090 qpIsim.c 04516 qpAMSS_GetAuthResponse – RESP: (Len) 8
MSG IMS/High 21:31:57.090 qpIsim.c 04520 qpAMSS_GetAuthResponse – 96 5
MSG IMS/High 21:31:57.090 qpIsim.c 04521 qpAMSS_GetAuthResponse – 59 36
MSG IMS/High 21:31:57.090 qpIsim.c 04520 qpAMSS_GetAuthResponse – 56 a
MSG IMS/High 21:31:57.090 qpIsim.c 04521 qpAMSS_GetAuthResponse – 56 88
MSG IMS/High 21:31:57.090 qpIsim.c 04536 qpAMSS_GetAuthResponse - Copied Ck
MSG IMS/High 21:31:57.090 qpIsim.c 04541 qpAMSS_GetAuthResponse - e5 24
MSG IMS/High 21:31:57.090 qpIsim.c 04542 qpAMSS_GetAuthResponse - 14 98
MSG IMS/High 21:31:57.090 qpIsim.c 04541 qpAMSS_GetAuthResponse - 66 f1
MSG IMS/High 21:31:57.090 qpIsim.c 04542 qpAMSS_GetAuthResponse - 93 b2
MSG IMS/High 21:31:57.090 qpIsim.c 04541 qpAMSS_GetAuthResponse - a3 e
MSG IMS/High 21:31:57.090 qpIsim.c 04542 qpAMSS_GetAuthResponse - 43 4f
MSG IMS/High 21:31:57.090 qpIsim.c 04541 qpAMSS_GetAuthResponse - a2 fb
MSG IMS/High 21:31:57.090 qpIsim.c 04542 qpAMSS_GetAuthResponse - 16 9e
MSG IMS/High 21:31:57.090 qpIsim.c 04556 qpAMSS_GetAuthResponse - Copied Ik
MSG IMS/High 21:31:57.090 qpIsim.c 04562 qpAMSS_GetAuthResponse - 8d a7
MSG IMS/High 21:31:57.090 qpIsim.c 04563 qpAMSS_GetAuthResponse - f8 57
MSG IMS/High 21:31:57.090 qpIsim.c 04562 qpAMSS_GetAuthResponse - a0 2d
MSG IMS/High 21:31:57.090 qpIsim.c 04563 qpAMSS_GetAuthResponse - a 3f
MSG IMS/High 21:31:57.090 qpIsim.c 04562 qpAMSS_GetAuthResponse - c4 c9
MSG IMS/High 21:31:57.091 qpIsim.c 04563 qpAMSS_GetAuthResponse - 9f 9b
MSG IMS/High 21:31:57.091 qpIsim.c 04562 qpAMSS_GetAuthResponse - 76 e7
MSG IMS/High 21:31:57.091 qpIsim.c 04563 qpAMSS_GetAuthResponse - 9d 43
MSG IMS/High 21:31:57.091 qpIsim.c 04571 qpAMSS_GetAuthResponse - Setting Authstatus to QC_AUTH_SUCCESS
MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 8
Decode ESP Packets in Wireshark v1.6.5

1. Run Wireshark (located at C:\Program Files\Wireshark\wireshark.exe).

2. Select Edit > Preferences > Protocols > ESP.
3. Check Attempt to detect/decode encrypted ESP payloads.
4. Type IPv6|*|*|* in SA#1.
5. Select Encryption Algorithm #1 (based on NV 69744 [iIpSecEncAlgo] and sent by the network in
401 Unauthorized challenge).
6. Select Authentication Algorithm #1 (based on NV 69744 [iIpSecIntScheme] and sent by the network in
401 Unauthorized challenge).
7. Type Ck in Encryption Key #1.
8. Type Ik in Authentication Key #1.
9. Click OK.

MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 9

Decode ESP Packets in Wireshark v1.8.5 (1 of 2)

1. Run Wireshark (located at C:\Program

Files\Wireshark\wireshark.exe).
2. Select Edit > Preferences >
Protocols > ESP.
3. Check Attempt to detect/decode
encrypted ESP payloads.
4. Click New.
5. Set Protocol to IPv6.
6. Type the Source IP address as the
IP address of the UE.
7. Type the Destination IP as the
IP address of the P-CSCF.
8. Type “*” in SPI.
9. Select Encryption (based on NV 69744 [iIpSecEncAlgo]
and sent by the network in 401 Unauthorized challenge).
10. Type Ck in Encryption Key.
11. Select Authentication (based on NV 69744 [iIpSecIntScheme]
and sent by the network in 401 Unauthorized challenge).
12. Type Ik in Authentication Key.
13. Click OK.
MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 10
Decode ESP Packets in Wireshark v1.8.5 (2 of 2)

14. Wireshark decodes ESP packets in

the uplink direction, i.e., (sent from
the Source IP (UE) to the
Destination IP (P-CSCF).
15. Create another ESP SA following
Steps 4 through 13, but swap the
Source and Destination IPs to
enable Wireshark to decode ESP
packets in the download direction,
i.e., sent from the Source IP (P-
CSCF) to the Destination IP (UE).

MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 11

Thank You

MAY CONTAIN U.S. AND INTERNATIONAL EXPORT CONTROLLED INFORMATION 12