In order to enable ESP decoding for TShark, the ~/.wireshark/preferences file must be edited by hand. The key/value pairs in question are below:
# This is done only if the Decoding is not SET or the packet does not
# belong to a SA. Assumes a 12 byte auth
# (HMAC-SHA1-96/HMAC-MD5-96/AES-XCBC-MAC-96) and attempts decode based
# on the ethertype 13 bytes from packet end
# TRUE or FALSE (case-insensitive).
esp.enable_null_encryption_decode_heuristic: TRUE
# Attempt to decode based on the SAD described hereafter.
# TRUE or FALSE (case-insensitive).
esp.enable_encryption_decode: FALSE
# Attempt to Check ESP Authentication based on the SAD described hereafter.
# TRUE or FALSE (case-insensitive).
esp.enable_authentication_check: FALSE
# SA identifier. Must have the form "Protocol|Source
# Address|Destination Adress|SPI". Example:
# "IPv4|192.168.0.45|10.1.2.7|*" See the ESP Preferences page on the
# Wireshark wiki (http://wiki.wireshark.org/ESP_Preferences) for more
# details.
# A string.
esp.sa_1:
# Encryption algorithm
# One of: NULL, TripleDES-CBC [RFC2451], AES-CBC [RFC3602], AES-CTR
# [RFC3686], DES-CBC [RFC2405], BLOWFISH-CBC [RFC2451], TWOFISH-CBC
# (case-insensitive).
esp.encryption_algorithm_1: NULL
# Authentication algorithm
# One of: NULL, HMAC-SHA1-96 [RFC2404], HMAC-SHA256, HMAC-MD5-96
# [RFC2403], ANY 12-bytes of Authentication [No Checking]
# (case-insensitive).
esp.authentication_algorithm_1: NULL
# Encryption key. May be ASCII or hexadecimal (if prepended with 0x).
# See the ESP Preferences page on the Wireshark wiki
# (http://wiki.wireshark.org/ESP_Preferences) for supported sizes.
# A string.
esp.encryption_key_1:
# Authentication key. May be ASCII or hex (if prepended with 0x). See
# the ESP Preferences page on the Wireshark wiki
# (http://wiki.wireshark.org/ESP_Preferences) for supported sizes.
# A string.
esp.authentication_key_1:
Imported from https://wiki.wireshark.org/TShark_ESP_Preferences on 2020-08-11 23:26:57 UTC