In order to enable ESP decoding for TShark, the ~/.wireshark/preferences file must be edited by hand. The key/value pairs in question are below:
# This is done only if the Decoding is not SET or the packet does not # belong to a SA. Assumes a 12 byte auth # (HMAC-SHA1-96/HMAC-MD5-96/AES-XCBC-MAC-96) and attempts decode based # on the ethertype 13 bytes from packet end # TRUE or FALSE (case-insensitive). esp.enable_null_encryption_decode_heuristic: TRUE # Attempt to decode based on the SAD described hereafter. # TRUE or FALSE (case-insensitive). esp.enable_encryption_decode: FALSE # Attempt to Check ESP Authentication based on the SAD described hereafter. # TRUE or FALSE (case-insensitive). esp.enable_authentication_check: FALSE # SA identifier. Must have the form "Protocol|Source # Address|Destination Adress|SPI". Example: # "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the # Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more # details. # A string. esp.sa_1: # Encryption algorithm # One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR # [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC # (case-insensitive). esp.encryption_algorithm_1: NULL # Authentication algorithm # One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256, HMAC-MD5-96 # [RFC2403], ANY 12-bytes of Authentication [No Checking] # (case-insensitive). esp.authentication_algorithm_1: NULL # Encryption key. May be ASCII or hexadecimal (if prepended with 0x). # See the ESP Preferences page on the Wireshark wiki # (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.encryption_key_1: # Authentication key. May be ASCII or hex (if prepended with 0x). See # the ESP Preferences page on the Wireshark wiki # (http://wiki.wireshark.org/ESP_Preferences) for supported sizes. # A string. esp.authentication_key_1: