Ipdecap can decapsulate traffic encapsulated within GRE, IPIP, 6in4, ESP (ipsec) protocols, and can also remove IEEE 802.1Q (virtual lan) header.
It reads packets from an pcap file, removes the encapsulation protocol, and writes them to another pcap file.

Goals are:
Extract encapsulated tcp flow to analyze them with conventional tcp tools (tcptrace, tcpflow, …)
Reduce pcap files size by removing encapsulation protocol

Ipdecap was first written to analyze a strange tcp behavior encapsulated by ESP, without intervention on vpn endpoints.


wget https://github.com/lpefferkorn/ipdecap/archive/v0.7.tar.gz
tar xvzf v0.7.tar.gz
cd ipdecap-0.7
sh autogen.sh
make install

Command line:
A source pcap file
An output pcap file
A configuration file to decrypt ESP packets
Maybe a bpf filter to limit packets to process.

Ipdecap 0.5, decapsulate GRE, IPIP, 6in4, ESP packets, remove 802.1Q header - Loic Pefferkorn

Supported encapsulation protocols
6in4 (IPv6 encapsulated within IPv4)
ESP (ipsec, tunnel mode)

ESP algorithms
(crypt) des-cbc 3des-cbc aes128-cbc aes128-ctr null_enc
(auth) hmac_md5-96 hmac_sha1-96 aes_xcbc_mac-96 null_auth any96 any128 any160 any192 any256 any384 any512

ipdecap [-v] [-l] [-V] -i input.cap -o output.cap [-c esp.conf] [-f ]
-c, --conf configuration file for ESP parameters (IP addresses, algorithms, ... (see man ipdecap)
-h, --help this help message
-i, --input pcap file to process
-o, --output pcap file with decapsulated data
-f, --filter only process packets matching the bpf filter
-l, --list list availables ESP encryption and authentication algorithms
-V, --version print version
-v, --verbose verbose

To process GRE, IPIP, 6in4 and 802.1Q protocols, only -i and -o parameters are mandatory

Remove GREP encapsulation from packets located in gre.cap file, and write them in output.cap
ipdecap -i gre.cap -o output.cap

Remove ESP encapsulation, configuration in esp.conf
ipdecap -i esp.cap -o output.cap -c esp.conf

Remove IPIP encapsulation, but only for traffic between and
ipdecap -i ipip.cap -o output.cap -f "src and dst

ESP configuration file
Text file with informations needed to decrypt ESP packets. (hosts, algorithms, keys, spi)

A line per flow