Have you ever found yourself in need of decrypting ESP packets nested within UDP encapsulation using Wireshark, especially when dealing with setups similar to those found in Cisco SD-WAN?

Wireshark automatically performs this action for NAT-T UDP 4500 destination packets, but it require us to manually force it for other ports :

So, simply right-click on the UDP packet, go to “Decode As,” :

And choose “UDPEncap” to reveal ESP SPI and sequence numbers :

Hope this helps!

Mehdi SFAR (CCDE 2021:3, CCIE #51583)