#!/bin/sh

# espdump - inspired by dan at geek dot com dot au
#
# parses output of "setkey -D" to build argument to tcpdump's -E flag for
# decoding ESP payload.
#

dashe=`setkey -D | perl -e '
 $sa=0;
 while (<>) {
    if (/^[0-9][^\s]*\s([^\s]*)/) {
      $sa++;
      $h{$sa}{dip}=$1;
#      printf ("dip: $1\n");
    } elsif (/spi=\d+\((0x[0-9a-f]*)/) {
      $h{$sa}{spi}=$1;
#      printf ("spi: $1\n");
    } elsif (/^\s+E:\s+([^\s]*)\s+([^\s].*)/) {
      $algo=$1; $secret=$2;
      $secret =~ s/\s+//g;
      $key="$algo-hmac96:0x$secret";
      $h{$sa}{key}=$key;
#      printf ("key: $1\n");
    }
 }

 foreach $sa (sort keys(%h)) {
   $dip=$h{$sa}{dip};
   $spi=$h{$sa}{spi};
   $key=$h{$sa}{key};

#   printf ">>> ($sa:$dip:$spi:$key)\n";
   if (defined($spi) && defined($key) && defined($dip)) {
     $dashe = (defined($dashe) ? $dashe . "," : "") 
       . "$spi\@$dip $key";
     $spi=$dpi=$key=undef;
#     printf "defined dashe: $dashe\n";
   }
 }

# printf "\n";
 printf "$dashe";'`

/usr/pkg/sbin/tcpdump $* -vv -s0 -E "$dashe" esp