To verify that packets are protected, test the connection with the snoop command. The following prefixes can appear in the snoop output:
AH: prefix – Indicates that AH is protecting the headers. You see AH: if you used auth_alg to protect the traffic.
ESP: prefix – Indicates that encrypted data is being sent. You see ESP: if you used encr_auth_alg or encr_alg to protect the traffic.
You must be root or an equivalent role to read the snoop output. You must have access to both systems to test the connection.
On one system, such as partym, become root.
% su Password: root-password # |
In a terminal window, begin to snoop the packets from another system, such as enigma.
# snoop -v enigma Using device /dev/hme (promiscuous mode) |
In another terminal window, remotely log on to the enigma system. Provide your password. Then become root, and send a packet from enigma to the partym system.
% rlogin enigma Password: your-password % su Password: root-password # ping partym |
In the snoop window on partym, you should see output that looks something like the following:
IP: Time to live = 64 seconds/hops IP: Protocol = 51 (AH) IP: Header checksum = 4e0e IP: Source address = 192.168.116.16, enigma IP: Destination address = 192.168.13.213, partym IP: No options IP: AH: ----- Authentication Header ----- AH: AH: Next header = 50 (ESP) AH: AH length = 4 (24 bytes) AH: <Reserved field = 0x0> AH: SPI = 0xb3a8d714 AH: Replay = 52 AH: ICV = c653901433ef5a7d77c76eaa AH: ESP: ----- Encapsulating Security Payload ----- ESP: ESP: SPI = 0xd4f40a61 ESP: Replay = 52 ESP: ....ENCRYPTED DATA.... ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 20 arrived at 9:44:36.59 ETHER: Packet size = 98 bytes ETHER: Destination = 8:0:27:aa:11:11, Sun ETHER: Source = 8:0:22:aa:22:2, Sun ETHER: Ethertype = 0800 (IP) ETHER: IP: ----- IP Header ----- IP: IP: Version = 4 IP: Header length = 20 bytes IP: Type of service = 0x00 IP: xxx. .... = 0 (precedence) IP: ...0 .... = normal delay IP: .... 0... = normal throughput IP: .... .0.. = normal reliability IP: .... ..0. = not ECN capable transport IP: .... ...0 = no ECN congestion experienced IP: Total length = 84 bytes IP: Identification = 40933 IP: Flags = 0x4 IP: .1.. .... = do not fragment IP: ..0. .... = last fragment IP: Fragment offset = 0 bytes IP: Time to live = 60 seconds/hops IP: Protocol = 51 (AH) IP: Header checksum = 22cc … |