Have you ever found yourself in need of decrypting ESP packets nested within UDP encapsulation using Wireshark, especially when dealing with setups similar to those found in Cisco SD-WAN?
Wireshark automatically performs this action for NAT-T UDP 4500 destination packets, but it require us to manually force it for other ports :
So, simply right-click on the UDP packet, go to “Decode As,” :
And choose “UDPEncap” to reveal ESP SPI and sequence numbers :
Hope this helps!