Ipdecap

Ipdecap can decapsulate traffic encapsulated within GRE, IPIP, 6in4, ESP (ipsec) protocols, and can also remove IEEE 802.1Q (virtual lan) header.
It reads packets from an pcap file, removes the encapsulation protocol, and writes them to another pcap file.

Goals are:
Extract encapsulated tcp flow to analyze them with conventional tcp tools (tcptrace, tcpflow, …)
Reduce pcap files size by removing encapsulation protocol

Ipdecap was first written to analyze a strange tcp behavior encapsulated by ESP, without intervention on vpn endpoints.

Installation:
Dependances
Openssl
Libpcap

Compilation
wget https://github.com/lpefferkorn/ipdecap/archive/v0.7.tar.gz
tar xvzf v0.7.tar.gz
cd ipdecap-0.7
sh autogen.sh
./configure
make
make install

Use
Command line:
A source pcap file
An output pcap file
A configuration file to decrypt ESP packets
Maybe a bpf filter to limit packets to process.

Ipdecap 0.5, decapsulate GRE, IPIP, 6in4, ESP packets, remove 802.1Q header - Loic Pefferkorn

Supported encapsulation protocols
GRE
IPIP
6in4 (IPv6 encapsulated within IPv4)
ESP (ipsec, tunnel mode)

ESP algorithms
(crypt) des-cbc 3des-cbc aes128-cbc aes128-ctr null_enc
(auth) hmac_md5-96 hmac_sha1-96 aes_xcbc_mac-96 null_auth any96 any128 any160 any192 any256 any384 any512

Usage
ipdecap [-v] [-l] [-V] -i input.cap -o output.cap [-c esp.conf] [-f ]
Options:
-c, --conf configuration file for ESP parameters (IP addresses, algorithms, ... (see man ipdecap)
-h, --help this help message
-i, --input pcap file to process
-o, --output pcap file with decapsulated data
-f, --filter only process packets matching the bpf filter
-l, --list list availables ESP encryption and authentication algorithms
-V, --version print version
-v, --verbose verbose

To process GRE, IPIP, 6in4 and 802.1Q protocols, only -i and -o parameters are mandatory

Examples
Remove GREP encapsulation from packets located in gre.cap file, and write them in output.cap
ipdecap -i gre.cap -o output.cap

Remove ESP encapsulation, configuration in esp.conf
ipdecap -i esp.cap -o output.cap -c esp.conf

Remove IPIP encapsulation, but only for traffic between 192.168.2.100 and 192.168.2.101
ipdecap -i ipip.cap -o output.cap -f "src 192.168.2.100 and dst 192.168.2.101

ESP configuration file
Text file with informations needed to decrypt ESP packets. (hosts, algorithms, keys, spi)

Format
A line per flow