In order to enable ESP decoding for TShark, the ~/.wireshark/preferences file must be edited by hand. The key/value pairs in question are below:

# This is done only if the Decoding is not SET or the packet does not
# belong to a SA. Assumes a 12 byte auth
# (HMAC-SHA1-96/HMAC-MD5-96/AES-XCBC-MAC-96) and attempts decode based
# on the ethertype 13 bytes from packet end

# TRUE or FALSE (case-insensitive).
esp.enable_null_encryption_decode_heuristic: TRUE

# Attempt to decode based on the SAD described hereafter.
# TRUE or FALSE (case-insensitive).
esp.enable_encryption_decode: FALSE

# Attempt to Check ESP Authentication based on the SAD described hereafter.
# TRUE or FALSE (case-insensitive).
esp.enable_authentication_check: FALSE

# SA identifier.  Must have the form "Protocol|Source
# Address|Destination Adress|SPI". Example:
# "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the
# Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more
# details.

# A string.
esp.sa_1:

# Encryption algorithm
# One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR
# [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC
# (case-insensitive).
esp.encryption_algorithm_1: NULL

# Authentication algorithm
# One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256, HMAC-MD5-96
# [RFC2403], ANY 12-bytes of Authentication [No Checking]
# (case-insensitive).
esp.authentication_algorithm_1: NULL

# Encryption key. May be ASCII or hexadecimal (if prepended with 0x).
# See the ESP Preferences page on the Wireshark wiki
# (http://wiki.wireshark.org/ESP_Preferences) for supported sizes.

# A string.
esp.encryption_key_1:

# Authentication key. May be ASCII or hex (if prepended with 0x). See
# the ESP Preferences page on the Wireshark wiki
# (http://wiki.wireshark.org/ESP_Preferences) for supported sizes.

# A string.
esp.authentication_key_1:

TShark_ESP_Preferences (last edited 2009-02-18 17:39:23 by CjAdamsCollier)