espdiff

espdiff [-v] [file1 [file2]]

-v
    Enable verbose mode for detailed hex dumps and side-by-side comparison

espdiff is a specialized utility from the ipsec-tools package designed to compare two Encapsulating Security Payload (ESP) packets, commonly used in IPsec VPN implementations for encryption and authentication.

It reads binary packet dumps (typically from tools like tcpdump) and highlights differences in ESP headers, payloads, authentication data, or padding. This is invaluable for debugging IPsec tunnels where packet mutations or key mismatches cause issues.

By default, it performs a binary diff, ignoring non-ESP parts if present, and outputs offsets and byte differences. When used interactively or with verbose mode, it provides human-readable hex dumps side-by-side, aiding in spotting subtle changes like IV variations or replay issues.

espdiff assumes input files contain full IP packets with ESP encapsulation. It's lightweight, fast for small captures, but best suited for targeted analysis rather than bulk traffic.

Installation requires the ipsec-tools package (e.g., via apt install ipsec-tools on Debian-based systems), though it's less common today with modern stacks like strongSwan favoring integrated tools.

Requires ipsec-tools package; inputs must be raw binary ESP packets; deprecated in some distros favoring strongSwan/Libreswan; no support for AH packets or compressed payloads.

espdiff -v capture1.pcap capture2.pcap
Outputs: Offset 0x10: 0xdead != 0xbeef (possible IV mismatch)

Use tcpdump -w file.pcap esp to capture ESP traffic; extract single packets with editcap or tshark for precise diffs.

Developed as part of ipsec-tools (circa 2000s) for Racoon IKE daemon; peaked in usage with early Linux IPsec setups; largely superseded post-2010 by kernel-native IPsec and alternatives like strongSwan (2012+). Still maintained in some forks.

diff(1), tcpdump(8), wireshark(1), ipsec(8)