Hello Hongxing
The "Encapsulating Security Payload section of the capture is the encrypted portion of the payload that cannot be read by default on Wireshark. However, it is possible to have Wireshark decypher the contents of that portion of the payload. In order to do this, you must:
- Navigate to Edit → Preferences → Protocol → ESP
- Select the check box “Attempt to detect/decode encrypted ESP payload”
- Click on Edit in “ESP SA” and click “New”
- Enter the following information:
- Source and destination IP
- IP SPI
- Encryption and authentication algorithm
- Encryption and authentication key for both directions
Once that info is in place, you should find that the packets are decrypted and they can be read.
An example of this process can be found at this Wireshark Q&A page.
This particular example examines the ESP encrypted packets from a Linux device, but the concept is the same.
I hope this has been helpful!
Laz