add initial implementation of GCNet packet decryptor with pcapng support

2026-04-08 16:00:56 -03:00 · 2026-04-08 16:00:56 -03:00 · acf58a7085
commit acf58a7085
18 changed files with 1637 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,72 @@
+# =====================
+# Java / Maven
+# =====================
+target/
+*.class
+*.jar
+*.war
+*.ear
+*.log
+*.tmp
+
+# Maven
+pom.xml.tag
+pom.xml.releaseBackup
+pom.xml.versionsBackup
+pom.xml.next
+release.properties
+dependency-reduced-pom.xml
+buildNumber.properties
+.mvn/timing.properties
+
+# =====================
+# IDE - JetBrains (IntelliJ, etc.)
+# =====================
+.idea/
+*.iws
+*.iml
+*.ipr
+out/
+
+# Eclipse
+.classpath
+.project
+.settings/
+bin/
+
+# VS Code
+.vscode/
+
+# NetBeans
+nbproject/
+nbbuild/
+dist/
+nbdist/
+.nb-gradle/
+
+# =====================
+# OS Files
+# =====================
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db
+
+# =====================
+# Test / Capture Files
+# =====================
+*.pcapng
+*.pcap
+*.cap
+*.dump
+
+# =====================
+# Miscellaneous
+# =====================
+*.swp
+*.swo
+*~
+.recommenders
--- a/README.md
+++ b/README.md
@ -0,0 +1,134 @@
+# GCNet Packet Decryptor
+
+A Java tool to decrypt and analyze GCNet (Grand Chase) packets from pcapng capture files.
+
+## Overview
+
+This tool reads pcapng files containing network captures of Grand Chase game traffic, filters TCP packets on a specified port (default: 8501), and decrypts them using the GCNet security protocol. It automatically:
+
+1. Parses pcapng file format
+2. Extracts TCP segments and filters by port
+3. Detects the initial key exchange packet (opcode 1) to obtain session keys
+4. Decrypts all subsequent packets using DES-CBC
+5. Validates packet integrity using MD5-HMAC ICV
+6. Decompresses zlib-compressed payloads
+7. Displays decrypted packet contents in human-readable format
+
+## Building
+
+```bash
+mvn clean package
+```
+
+This creates two JAR files in `target/`:
+- `gcnet-decryptor-1.0.0.jar` - Standalone JAR (requires dependencies)
+- `gcnet-decryptor-1.0.0-jar-with-dependencies.jar` - Fat JAR with all dependencies (recommended)
+
+## Usage
+
+```bash
+java -jar target/gcnet-decryptor-1.0.0-jar-with-dependencies.jar <pcapng-file> [port]
+```
+
+**Parameters:**
+- `<pcapng-file>`: Path to the pcapng capture file (required)
+- `[port]`: TCP port to filter on (default: 8501)
+
+**Examples:**
+
+```bash
+# Decrypt packets on default port 8501
+java -jar target/gcnet-decryptor-1.0.0-jar-with-dependencies.jar capture.pcapng
+
+# Decrypt packets on custom port
+java -jar target/gcnet-decryptor-1.0.0-jar-with-dependencies.jar capture.pcapng 9001
+```
+
+## How It Works
+
+### GCNet Protocol Structure
+
+The GCNet protocol has two main layers:
+
+#### 1. Security Layer
+- **Size** (2 bytes): Total security layer size
+- **SPI** (2 bytes): Security Parameters Index
+- **Sequence Number** (4 bytes): Packet counter
+- **IV** (8 bytes): DES initialization vector
+- **Encrypted Payload** (variable): DES-CBC encrypted data
+- **ICV** (10 bytes): Integrity check value (MD5-HMAC truncated)
+
+#### 2. Payload Layer
+- **Opcode** (2 bytes): Packet type identifier
+- **Content Size** (4 bytes): Size of content
+- **Compression Flag** (1 byte): Whether content is zlib-compressed
+- **Content** (variable): Actual data (possibly compressed)
+- **Null Padding** (4 bytes): End padding
+
+### Key Exchange
+
+The first packet (opcode 1) contains the session keys:
+- Sent by server using default keys
+- Contains new SPI, authentication key, and encryption key
+- All subsequent packets use these new keys
+
+**Default Keys:**
+- Encryption Key: `C7 D8 C4 BF B5 E9 C0 FD`
+- Authentication Key: `C0 D3 BD C3 B7 CE B8 B8`
+
+### Encryption
+
+- **Algorithm**: DES in CBC mode
+- **Padding**: Custom GCNet padding scheme (incrementing bytes)
+- **Integrity**: MD5-HMAC truncated to 10 bytes
+
+### Compression
+
+- **Algorithm**: zlib
+- **Header**: `78 01`
+- **Structure**: First 4 bytes indicate decompressed size (little-endian)
+
+## Output Format
+
+For each packet, the tool displays:
+- Source/destination IP and port
+- TCP sequence number
+- SPI and IV values
+- ICV validation status
+- Opcode and content size
+- Hex dump of decrypted content
+- Extracted readable strings
+
+## Project Structure
+
+```
+gcnet-decryptor/
+├── pom.xml
+└── src/main/java/com/gcnet/decryptor/
+    ├── GCNetDecryptor.java              # Main application
+    ├── pcapng/
+    │   ├── PcapngParser.java            # pcapng file parser (wraps pcapngdecoder)
+    │   └── TcpPacketParser.java         # TCP segment extractor
+    ├── security/
+    │   └── GCNetSecurityAssociation.java # Decryption & ICV validation
+    └── payload/
+        └── GCNetPayloadParser.java      # Payload parser & decompression
+```
+
+## Dependencies
+
+- **[pcapng-decoder](https://github.com/bertrandmartel/pcapng-decoder)** by Bertrand Martel (MIT License) - Pure Java pcapng file parser
+
+## References
+
+Based on the [GCNet](https://github.com/frihet/GCNet) library by Gabriel F. (Frihet Dev), licensed under AGPL-3.0.
+
+Protocol documentation:
+- [The Security Layer](../GCNet/docs/en/The%20Security%20Layer.md)
+- [The Cryptography](../GCNet/docs/en/The%20Cryptography.md)
+- [The Payload Layer](../GCNet/docs/en/The%20Payload%20Layer.md)
+- [The Security Protocol Setup](../GCNet/docs/en/The%20Security%20Protocol%20Setup.md)
+
+## License
+
+This project is provided as-is for educational and analysis purposes.
--- a/docs/ADDING_PACKET_PARSERS.md
+++ b/docs/ADDING_PACKET_PARSERS.md
@ -0,0 +1,213 @@
+# Adding New Packet Parsers
+
+This guide explains how to implement parsers for new GCNet packet types.
+
+## Architecture Overview
+
+The packet parsing system uses several design patterns:
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                      GCNetPacketProcessor                        │
+│  ┌─────────────────────────────────────────────────────────────┐│
+│  │                PacketParserFactory (Factory)                 ││
+│  │  ┌────────────┐ ┌────────────┐ ┌──────────────────────────┐ ││
+│  │  │ PingParser │ │ PongParser │ │ VerifyAccountRequestParser│ ││
+│  │  └────────────┘ └────────────┘ └──────────────────────────┘ ││
+│  │                     Strategy Pattern                         ││
+│  └─────────────────────────────────────────────────────────────┘│
+└─────────────────────────────────────────────────────────────────┘
+                              │
+                              ▼
+┌─────────────────────────────────────────────────────────────────┐
+│                       PacketContext                              │
+│  • decrypted payload bytes                                       │
+│  • TCP segment (src/dst IP:port)                                 │
+│  • server port for direction detection                           │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+### Design Patterns Used
+
+| Pattern | Class | Purpose |
+|---------|-------|---------|
+| **Strategy** | `PacketParser` interface | Each opcode has its own parsing strategy |
+| **Factory** | `PacketParserFactory` | Creates the correct parser for each opcode |
+| **Context** | `PacketContext` | Immutable context with payload + connection metadata |
+| **Registry** | `GCNetOpcode` enum | Maps opcode numbers to metadata and direction hints |
+| **Null Object** | `GenericPayloadParser` | Fallback for unimplemented opcodes |
+
+## Step-by-Step: Adding a New Parser
+
+### 1. Define the Opcode
+
+Add the opcode to `GCNetOpcode.java`:
+
+```java
+// In packets.com.gcpp.GCNetOpcode
+
+/**
+ * Example: Player join request.
+ * Structure: Player name (string), Character class (int), Level (short)
+ */
+ENU_PLAYER_JOIN_REQ(50, "ENU_PLAYER_JOIN_REQ", 
+    "Player join request", Direction.CLIENT_TO_SERVER),
+```
+
+The `Direction` enum indicates expected traffic flow:
+- `CLIENT_TO_SERVER` — Sent from client **to** server port (dstPort == serverPort)
+- `SERVER_TO_CLIENT` — Sent from server **from** server port (srcPort == serverPort)
+- `BIDIRECTIONAL` — Valid both ways (e.g., PING/PONG)
+
+### 2. Create the Parser
+
+Create a new class in `packets/parsers/`:
+
+```java
+package com.gcnet.decryptor.packets.parsers;
+
+import packets.com.gcemu.gcpp.GCNetOpcode;
+import packets.com.gcemu.gcpp.PacketContext;
+import packets.com.gcemu.gcpp.PacketParser;
+
+import java.nio.ByteBuffer;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+/**
+ * Parser for ENU_PLAYER_JOIN_REQ packets (opcode 50).
+ *
+ * <h3>Packet Structure:</h3>
+ * <table border="1">
+ *   <tr><th>Offset</th><th>Size</th><th>Type</th><th>Description</th></tr>
+ *   <tr><td>0</td><td>2</td><td>ushort (BE)</td><td>Opcode (50)</td></tr>
+ *   <tr><td>2</td><td>4</td><td>int (BE)</td><td>Content size</td></tr>
+ *   <tr><td>6</td><td>1</td><td>bool</td><td>Compression flag</td></tr>
+ *   <tr><td>7</td><td>4</td><td>int (LE)</td><td>Player name byte length</td></tr>
+ *   <tr><td>11</td><td>var</td><td>string (UTF-16LE)</td><td>Player name</td></tr>
+ *   <tr><td>var</td><td>4</td><td>int (LE)</td><td>Character class ID</td></tr>
+ *   <tr><td>var</td><td>2</td><td>short (LE)</td><td>Character level</td></tr>
+ * </table>
+ *
+ * <p>Direction: {@link GCNetOpcode.Direction#CLIENT_TO_SERVER}</p>
+ */
+@PacketParser.PacketParserFor(opcode = 50)
+public class PlayerJoinRequestParser implements PacketParser {
+
+    private static final int CONTENT_OFFSET = 7;
+
+    @Override
+    public ParseResult parse(PacketContext context) {
+        byte[] payload = context.decryptedPayload();
+
+        if (payload.length < CONTENT_OFFSET + 10) {
+            return ParseResult.empty(GCNetOpcode.ENU_PLAYER_JOIN_REQ, "Client → Server");
+        }
+
+        int offset = CONTENT_OFFSET;
+        Map<String, String> fields = new LinkedHashMap<>();
+
+        // Parse player name
+        ByteBuffer bb = ByteBuffer.wrap(payload, offset, 4)
+                .order(java.nio.ByteOrder.LITTLE_ENDIAN);
+        int nameLen = bb.getInt();
+        offset += 4;
+
+        if (offset + nameLen <= payload.length) {
+            String playerName = new String(payload, offset, nameLen, java.nio.charset.StandardCharsets.UTF_16LE);
+            fields.put("Player Name", playerName);
+            offset += nameLen;
+        }
+
+        // Parse character class
+        bb = ByteBuffer.wrap(payload, offset, 4)
+                .order(java.nio.ByteOrder.LITTLE_ENDIAN);
+        int charClass = bb.getInt();
+        fields.put("Character Class", String.valueOf(charClass));
+        offset += 4;
+
+        // Parse level
+        bb = ByteBuffer.wrap(payload, offset, 2)
+                .order(java.nio.ByteOrder.LITTLE_ENDIAN);
+        short level = bb.getShort();
+        fields.put("Level", String.valueOf(level));
+
+        return ParseResult.parsed(
+                GCNetOpcode.ENU_PLAYER_JOIN_REQ,
+                "Client → Server",
+                "ENU_PLAYER_JOIN_REQ { name: string_utf16_le, class_id: int32, level: int16 }",
+                fields,
+                formatContentHex(payload),
+                "player=\"" + fields.getOrDefault("Player Name", "?") + "\""
+        );
+    }
+
+    private String formatContentHex(byte[] data) {
+        var sb = new StringBuilder();
+        for (int i = 0; i < data.length; i++) {
+            if (i % 16 == 0 && i > 0) sb.append("\n");
+            sb.append(String.format("%02X ", data[i]));
+        }
+        return sb.toString().trim();
+    }
+}
+```
+
+### 3. Register the Parser
+
+Add registration in `PacketParserFactory.registerBuiltInParsers()`:
+
+```java
+private void registerBuiltInParsers() {
+    // ... existing registrations ...
+
+    // Player Management
+    registerParser(50, new PlayerJoinRequestParser());
+    registerParser(51, new PlayerJoinAckParser());
+}
+```
+
+### 4. Direction Detection
+
+The `PacketContext` automatically determines direction:
+
+```java
+public boolean isClientToServer() {
+    return segment.dstPort() == serverPort;  // Destination is the server
+}
+
+public boolean isServerToClient() {
+    return segment.srcPort() == serverPort;  // Source is the server
+}
+```
+
+For a server on port 9501:
+- `10.0.1.10:51094 → 10.0.1.10:9501` → **Client → Server** (dstPort == 9501)
+- `10.0.1.10:9501 → 10.0.1.10:51094` → **Server → Client** (srcPort == 9501)
+
+## File Structure
+
+```
+src/main/java/com/gcnet/decryptor/packets/
+├── GCNetOpcode.java              ← Opcode registry (add new opcodes here)
+├── PacketContext.java            ← Immutable context object
+├── PacketParser.java             ← Strategy interface + annotation
+├── PacketParserFactory.java      ← Factory (register new parsers here)
+└── parsers/
+    ├── GenericPayloadParser.java ← Fallback for unknown opcodes
+    ├── KeyExchangeParser.java    ← Opcode 1
+    ├── PingParser.java           ← Opcode 39
+    ├── PongParser.java           ← Opcode 40
+    ├── VerifyAccountRequestParser.java ← Opcode 34
+    └── VerifyAccountAckParser.java     ← Opcode 35
+```
+
+## Testing
+
+Run the decryptor with your capture file:
+
+```bash
+java -jar target/gcnet-decryptor-1.0.0-jar-with-dependencies.jar capture.pcapng 9501
+```
+
+New parsers will automatically be invoked for their registered opcodes, producing structured field output instead of raw hex dumps.
--- a/pom.xml
+++ b/pom.xml
@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.gcemu</groupId>
+    <artifactId>gcpp</artifactId>
+    <version>1.0.0</version>
+    <packaging>jar</packaging>
+
+    <properties>
+        <maven.compiler.source>25</maven.compiler.source>
+        <maven.compiler.target>25</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.projectlombok</groupId>
+            <artifactId>lombok</artifactId>
+            <version>1.18.44</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>fr.bmartel</groupId>
+            <artifactId>pcapngdecoder</artifactId>
+            <version>1.2</version>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <annotationProcessorPaths>
+                        <path>
+                            <groupId>org.projectlombok</groupId>
+                            <artifactId>lombok</artifactId>
+                            <version>1.18.44</version>
+                        </path>
+                    </annotationProcessorPaths>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jar-plugin</artifactId>
+                <version>3.3.0</version>
+                <configuration>
+                    <archive>
+                        <manifest>
+                            <mainClass>com.gcemu.gcpp.GCPacketParser</mainClass>
+                        </manifest>
+                    </archive>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <version>3.6.0</version>
+                <configuration>
+                    <archive>
+                        <manifest>
+                            <mainClass>com.gcemu.gcpp.GCPacketParser</mainClass>
+                        </manifest>
+                    </archive>
+                    <descriptorRefs>
+                        <descriptorRef>jar-with-dependencies</descriptorRef>
+                    </descriptorRefs>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>make-assembly</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>single</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>
--- a/src/main/java/com/gcemu/gcpp/CliArguments.java
+++ b/src/main/java/com/gcemu/gcpp/CliArguments.java
@ -0,0 +1,37 @@
+package com.gcemu.gcpp;
+
+import lombok.Getter;
+
+import java.io.File;
+
+@Getter
+public class CliArguments {
+    private static final int DEFAULT_PORT = 9501;
+
+    private final File pcapngFile;
+    private final int targetPort;
+
+    public CliArguments(String[] args) {
+        if (args.length < 1) {
+            printUsage();
+            System.exit(1);
+        }
+
+        this.pcapngFile = new File(args[0]);
+        this.targetPort = args.length > 1 ? Integer.parseInt(args[1]) : DEFAULT_PORT;
+    }
+
+    public void validate() {
+        if (!pcapngFile.exists() || !pcapngFile.isFile()) {
+            System.err.println("Error: File not found or not accessible: " + pcapngFile.getPath());
+            System.exit(1);
+        }
+    }
+
+    private void printUsage() {
+        System.out.println("Usage: java -jar gcnet-decryptor.jar <pcapng-file> [port]");
+        System.out.println("  <pcapng-file>: Path to the pcapng capture file");
+        System.out.println("  [port]: TCP port to filter on (default: " + DEFAULT_PORT + ")");
+        System.exit(1);
+    }
+}
--- a/src/main/java/com/gcemu/gcpp/GCPacketParser.java
+++ b/src/main/java/com/gcemu/gcpp/GCPacketParser.java
@ -0,0 +1,86 @@
+package com.gcemu.gcpp;
+
+import com.gcemu.gcpp.pcapng.TcpPacketParser;
+
+public class GCPacketParser {
+    private final PacketExtractor extractor = new PacketExtractor();
+    private final OutputFormatter formatter = new OutputFormatter();
+
+    private final CliArguments cliArgs;
+    private final PacketProcessor processor;
+
+    public GCPacketParser(String[] args) {
+        this.cliArgs = new CliArguments(args);
+        this.processor = new PacketProcessor(cliArgs.getTargetPort());
+    }
+
+    public void run() {
+        cliArgs.validate();
+
+        formatter.printHeader(cliArgs.getPcapngFile().getName(), cliArgs.getTargetPort());
+
+        try {
+            var extractionResult = extractor.extract(cliArgs.getPcapngFile(), cliArgs.getTargetPort());
+            formatter.printParsingPhase(extractionResult.totalCaptured());
+            formatter.printExtractionPhase(extractionResult.tcpSegmentsFound(), extractionResult.filteredSegments().size());
+
+            if (extractionResult.filteredSegments().isEmpty()) {
+                formatter.printNoSegmentsFound();
+                return;
+            }
+
+            formatter.printDecryptionPhase();
+            processPackets(extractionResult.filteredSegments());
+
+        } catch (Exception e) {
+            System.err.println("Error processing file: " + e.getMessage());
+            System.exit(1);
+        }
+    }
+
+    private void processPackets(java.util.List<TcpPacketParser.TcpSegment> segments) {
+        var packetCount = 0;
+        var decryptedCount = 0;
+        var failedCount = 0;
+
+        for (TcpPacketParser.TcpSegment segment : segments) {
+            packetCount++;
+            formatter.printPacketHeader(packetCount, segment, segment.payload().length);
+
+            var result = processor.process(segment);
+
+            if (result.isTooSmall()) {
+                formatter.printSkippedPacket();
+                continue;
+            }
+
+            if (!result.isSuccess()) {
+                formatter.printDecryptionError(result.errorMessage());
+                failedCount++;
+                System.out.println();
+                continue;
+            }
+
+            formatter.printDecryptionResult(result.decryptionResult());
+
+            if (result.isKeyExchangeDetected()) {
+                formatter.printKeyExchangeDetected();
+                if (processor.isKeyExchangeProcessed()) {
+                    formatter.printKeyExchangeSuccess();
+                } else {
+                    formatter.printKeyExchangeFailure();
+                }
+            }
+
+            formatter.printParsedPacket(result.parseResult());
+            decryptedCount++;
+            System.out.println();
+        }
+
+        formatter.printSummary(packetCount, decryptedCount, failedCount, processor.isKeyExchangeProcessed());
+    }
+
+    static void main(String[] args) {
+        new GCPacketParser(args).run();
+    }
+}
--- a/src/main/java/com/gcemu/gcpp/OutputFormatter.java
+++ b/src/main/java/com/gcemu/gcpp/OutputFormatter.java
@ -0,0 +1,148 @@
+package com.gcemu.gcpp;
+
+import com.gcemu.gcpp.packets.PacketParser;
+import com.gcemu.gcpp.pcapng.TcpPacketParser;
+import com.gcemu.gcpp.security.SecurityAssociation;
+
+/**
+ * Handles formatted console output for the parser.
+ */
+public class OutputFormatter {
+    public void printHeader(String fileName, int targetPort) {
+        System.out.println("========================================");
+        System.out.println("GCEmu Packet Parser");
+        System.out.println("========================================");
+        System.out.println("Input file: " + fileName);
+        System.out.println("Target port: " + targetPort);
+        System.out.println();
+    }
+
+    public void printParsingPhase(int totalPackets) {
+        System.out.println("[1/4] Parsing pcapng file...");
+        System.out.println("  Total packets captured: " + totalPackets);
+    }
+
+    public void printExtractionPhase(int tcpFound, int filteredCount) {
+        System.out.println("[2/4] Extracting TCP segments...");
+        System.out.println("  TCP segments found: " + tcpFound);
+        System.out.println("  Segments on target port: " + filteredCount);
+        System.out.println();
+    }
+
+    public void printNoSegmentsFound() {
+        System.out.println("No TCP segments found on target port");
+    }
+
+    public void printDecryptionPhase() {
+        System.out.println("[3/4] Parsing packets...");
+        System.out.println("========================================");
+        System.out.println();
+    }
+
+    public void printPacketHeader(int packetNum, TcpPacketParser.TcpSegment segment, int payloadSize) {
+        System.out.println("────────────────────────────────────");
+        System.out.println("Packet #" + packetNum);
+        System.out.println("────────────────────────────────────");
+        System.out.println(segment);
+        System.out.println("TCP Payload Size: " + payloadSize + " bytes");
+    }
+
+    public void printSkippedPacket() {
+        System.out.println("  [SKIP] Too small to be a GCNet packet");
+        System.out.println();
+    }
+
+    public void printDecryptionResult(SecurityAssociation.DecryptionResult result) {
+        System.out.println("  SPI: 0x" + String.format("%04X", result.spi()));
+        System.out.println("  IV: " + bytesToHex(result.iv()));
+        System.out.println("  ICV Valid: " + result.icvValid());
+        System.out.println("  Decrypted Payload Size: " + result.decryptedPayload().length + " bytes");
+    }
+
+    public void printKeyExchangeDetected() {
+        System.out.println();
+        System.out.println("  *** KEY EXCHANGE PACKET DETECTED (Opcode 1) ***");
+        System.out.println("  Extracting session keys for subsequent packets...");
+        System.out.println();
+    }
+
+    public void printKeyExchangeSuccess() {
+        System.out.println("  [OK] Session keys extracted - all following packets will use these");
+    }
+
+    public void printKeyExchangeFailure() {
+        System.out.println("  [WARN] Failed to parse key exchange, using default keys");
+    }
+
+    public void printParsedPacket(PacketParser.ParseResult parseResult) {
+        System.out.println();
+        System.out.println("  ┌─────────────────────────────────────────────────");
+        System.out.println("  │ Packet: " + parseResult.opcodeName());
+        System.out.println("  │ Opcode: 0x" + String.format("%04X", parseResult.opcode().getOpcode()) +
+                          " (" + parseResult.opcode().getOpcode() + ")");
+        System.out.println("  │ Direction: " + parseResult.direction());
+        System.out.println("  │ Structure: " + parseResult.structure());
+        System.out.println("  ├─────────────────────────────────────────────────");
+
+        if (!parseResult.fields().isEmpty()) {
+            System.out.println("  │ Fields:");
+            for (var entry : parseResult.fields().entrySet()) {
+                var value = entry.getValue();
+
+                // Truncate long values like hex strings
+                if (value.length() > 64) {
+                    value = value.substring(0, 60) + "...";
+                }
+
+                System.out.println("  │   " + entry.getKey() + ": " + value);
+            }
+        }
+
+        if (!parseResult.readableText().isEmpty()) {
+            System.out.println("  ├─────────────────────────────────────────────────");
+            System.out.println("  │ Extracted: " + parseResult.readableText());
+        }
+
+        if (!parseResult.rawHex().isEmpty()) {
+            System.out.println("  ├─────────────────────────────────────────────────");
+            System.out.println("  │ Raw Hex:");
+
+            var lines = parseResult.rawHex().split("\n");
+            for (var line : lines) {
+                System.out.println("  │   " + line);
+            }
+        }
+
+        System.out.println("  └─────────────────────────────────────────────────");
+    }
+
+    public void printDecryptionError(String error) {
+        System.out.println("  [ERROR] Parsing failed: " + error);
+    }
+
+    public void printSummary(int total, int decrypted, int failed, boolean keyExchangeProcessed) {
+        System.out.println("========================================");
+        System.out.println("[4/4] Summary");
+        System.out.println("========================================");
+        System.out.println("Total packets processed: " + total);
+        System.out.println("Successfully parsed: " + decrypted);
+        System.out.println("Failed: " + failed);
+        System.out.println("Key exchange processed: " + keyExchangeProcessed);
+        System.out.println("========================================");
+    }
+
+    public String bytesToHex(byte[] bytes) {
+        return bytesToHex(bytes, bytes.length);
+    }
+
+    public String bytesToHex(byte[] bytes, int length) {
+        var sb = new StringBuilder();
+        var end = Math.min(length, bytes.length);
+
+        for (var i = 0; i < end; i++) {
+            sb.append(String.format("%02X ", bytes[i]));
+        }
+
+        return sb.toString().trim();
+    }
+}
--- a/src/main/java/com/gcemu/gcpp/PacketExtractor.java
+++ b/src/main/java/com/gcemu/gcpp/PacketExtractor.java
@ -0,0 +1,43 @@
+package com.gcemu.gcpp;
+
+import com.gcemu.gcpp.pcapng.PcapngParser;
+import com.gcemu.gcpp.pcapng.TcpPacketParser;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Objects;
+import java.util.stream.Collectors;
+
+/**
+ * Extracts TCP segments from pcapng files filtered by port.
+ */
+public class PacketExtractor {
+    private final PcapngParser pcapngParser = new PcapngParser();
+    private final TcpPacketParser tcpParser = new TcpPacketParser();
+
+    public ExtractionResult extract(File file, int targetPort) throws Exception {
+        var rawPackets = pcapngParser.parseFile(file);
+
+        var packetsByLinkLayer = rawPackets.stream()
+            .collect(Collectors.groupingBy(PcapngParser.Packet::linkLayerType));
+
+        List<TcpPacketParser.TcpSegment> allTcpSegments = new ArrayList<>();
+        for (var entry : packetsByLinkLayer.entrySet()) {
+            var packets = entry.getValue();
+            var segments = packets.stream()
+                .map(packet -> tcpParser.parsePacket(packet.packetData()))
+                .filter(Objects::nonNull)
+                .toList();
+            allTcpSegments.addAll(segments);
+        }
+
+        var filteredSegments = TcpPacketParser.filterByPort(allTcpSegments, targetPort);
+
+        return new ExtractionResult(rawPackets.size(), allTcpSegments.size(), filteredSegments);
+    }
+
+    public record ExtractionResult(int totalCaptured, int tcpSegmentsFound, 
+                                   List<TcpPacketParser.TcpSegment> filteredSegments) {
+    }
+}
--- a/src/main/java/com/gcemu/gcpp/PacketProcessor.java
+++ b/src/main/java/com/gcemu/gcpp/PacketProcessor.java
@ -0,0 +1,80 @@
+package com.gcemu.gcpp;
+
+import com.gcemu.gcpp.packets.PacketContext;
+import com.gcemu.gcpp.packets.PacketParser;
+import com.gcemu.gcpp.packets.PacketParserFactory;
+import com.gcemu.gcpp.pcapng.TcpPacketParser;
+import com.gcemu.gcpp.security.SecurityAssociation;
+import lombok.Getter;
+import lombok.RequiredArgsConstructor;
+
+import static java.util.Objects.nonNull;
+
+@RequiredArgsConstructor
+public class PacketProcessor {
+    private static final int MIN_GCNET_PACKET_SIZE = 28;
+
+    private final PacketParserFactory parserFactory = new PacketParserFactory();
+
+    private SecurityAssociation securityAssociation = new SecurityAssociation();
+    private final int serverPort;
+
+    @Getter
+    private boolean keyExchangeProcessed = false;
+
+    public ProcessingResult process(TcpPacketParser.TcpSegment segment) {
+        var tcpPayload = segment.payload();
+
+        if (tcpPayload.length < MIN_GCNET_PACKET_SIZE) {
+            return ProcessingResult.tooSmall();
+        }
+
+        try {
+            var result = securityAssociation.decryptPacket(tcpPayload);
+            var newKeyExchangeDetected = false;
+
+            // Check for key exchange packet (only process once)
+            if (!keyExchangeProcessed && SecurityAssociation.isInitialKeyExchange(result.decryptedPayload())) {
+                var newAssociation = SecurityAssociation.parseInitialKeyExchange(result.decryptedPayload());
+
+                if (nonNull(newAssociation)) {
+                    securityAssociation = newAssociation;
+                    keyExchangeProcessed = true;
+                    newKeyExchangeDetected = true;
+                }
+            }
+
+            // Create context and parse with appropriate parser
+            var context = new PacketContext(result.decryptedPayload(), segment, serverPort);
+            var opcode = context.getOpcode();
+            var parser = parserFactory.getParser(opcode.getOpcode());
+            var parseResult = parser.parse(context);
+
+            return ProcessingResult.success(result, parseResult, newKeyExchangeDetected);
+        } catch (Exception e) {
+            return ProcessingResult.error(e.getMessage());
+        }
+    }
+
+    public record ProcessingResult(
+        boolean isSuccess,
+        boolean isTooSmall,
+        boolean isKeyExchangeDetected,
+        SecurityAssociation.DecryptionResult decryptionResult,
+        PacketParser.ParseResult parseResult,
+        String errorMessage
+    ) {
+        public static ProcessingResult tooSmall() {
+            return new ProcessingResult(false, true, false, null, null, null);
+        }
+
+        public static ProcessingResult success(SecurityAssociation.DecryptionResult decryption,
+                                               PacketParser.ParseResult parseResult, boolean keyExchangeDetected) {
+            return new ProcessingResult(true, false, keyExchangeDetected, decryption, parseResult, null);
+        }
+
+        public static ProcessingResult error(String message) {
+            return new ProcessingResult(false, false, false, null, null, message);
+        }
+    }
+}
--- a/src/main/java/com/gcemu/gcpp/packets/Opcode.java
+++ b/src/main/java/com/gcemu/gcpp/packets/Opcode.java
@ -0,0 +1,38 @@
+package com.gcemu.gcpp.packets;
+
+import lombok.AccessLevel;
+import lombok.Getter;
+import lombok.RequiredArgsConstructor;
+
+import java.util.HashMap;
+import java.util.Map;
+
+@Getter
+@RequiredArgsConstructor
+public enum Opcode {
+    KEY_EXCHANGE(1, "KEY_EXCHANGE", "Initial security key exchange", Direction.SERVER_TO_CLIENT),
+
+    UNKNOWN(-1, "UNKNOWN", "Unknown opcode", Direction.BIDIRECTIONAL);
+
+    private final int opcode;
+    private final String name;
+    private final String description;
+    private final Direction direction;
+
+    private static final Map<Integer, Opcode> OPCODE_MAP = new HashMap<>();
+
+    static {
+        for (var opcode : values()) {
+            OPCODE_MAP.put(opcode.opcode, opcode);
+        }
+    }
+
+    public static Opcode valueOf(int opcode) {
+        return OPCODE_MAP.getOrDefault(opcode, UNKNOWN);
+    }
+    public enum Direction {
+        CLIENT_TO_SERVER,
+        SERVER_TO_CLIENT,
+        BIDIRECTIONAL
+    }
+}
--- a/src/main/java/com/gcemu/gcpp/packets/PacketContext.java
+++ b/src/main/java/com/gcemu/gcpp/packets/PacketContext.java
@ -0,0 +1,38 @@
+package com.gcemu.gcpp.packets;
+
+import com.gcemu.gcpp.pcapng.TcpPacketParser;
+
+public record PacketContext(
+        byte[] decryptedPayload,
+
+        TcpPacketParser.TcpSegment segment,
+
+        int serverPort
+) {
+    public boolean isClientToServer() {
+        return segment.dstPort() == serverPort;
+    }
+
+    public boolean isServerToClient() {
+        return segment.srcPort() == serverPort;
+    }
+
+    public Opcode getOpcode() {
+        if (decryptedPayload.length < 2) {
+            return Opcode.UNKNOWN;
+        }
+
+        var opcode = ((decryptedPayload[0] & 0xFF) << 8) | (decryptedPayload[1] & 0xFF);
+        return Opcode.valueOf(opcode);
+    }
+
+    @Override
+    public String toString() {
+        return String.format("%s [%d bytes] %s:%d -> %s:%d",
+            getOpcode().getName(),
+            decryptedPayload.length,
+            segment.srcIp(), segment.srcPort(),
+            segment.dstIp(), segment.dstPort()
+        );
+    }
+}
--- a/src/main/java/com/gcemu/gcpp/packets/PacketParser.java
+++ b/src/main/java/com/gcemu/gcpp/packets/PacketParser.java
@ -0,0 +1,46 @@
+package com.gcemu.gcpp.packets;
+
+import java.util.Collections;
+import java.util.Map;
+
+public interface PacketParser {
+    ParseResult parse(PacketContext context);
+
+    record ParseResult(
+        Opcode opcode,
+        String opcodeName,
+        String direction,
+        String structure,
+        Map<String, String> fields,
+        String rawHex,
+        String readableText
+    ) {
+
+        public static ParseResult empty(Opcode opcode, String direction) {
+            return new ParseResult(
+                opcode,
+                opcode.getName(),
+                direction,
+                "<unparsed>",
+                Collections.emptyMap(),
+                "",
+                ""
+            );
+        }
+
+        public static ParseResult parsed(Opcode opcode, String direction,
+                                         String structure, Map<String, String> fields,
+                                         String rawHex, String readableText) {
+            return new ParseResult(
+                opcode, opcode.getName(), direction, structure,
+                fields, rawHex, readableText
+            );
+        }
+    }
+
+    @java.lang.annotation.Target(java.lang.annotation.ElementType.TYPE)
+    @java.lang.annotation.Retention(java.lang.annotation.RetentionPolicy.RUNTIME)
+    @interface PacketParserFor {
+        int opcode();
+    }
+}
--- a/src/main/java/com/gcemu/gcpp/packets/PacketParserFactory.java
+++ b/src/main/java/com/gcemu/gcpp/packets/PacketParserFactory.java
@ -0,0 +1,28 @@
+package com.gcemu.gcpp.packets;
+
+import com.gcemu.gcpp.packets.parsers.*;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class PacketParserFactory {
+    private final Map<Integer, PacketParser> parsers = new HashMap<>();
+    private final PacketParser defaultParser = new GenericPayloadParser();
+
+    public PacketParserFactory() {
+        registerBuiltInParsers();
+    }
+
+    public PacketParser getParser(int opcode) {
+        return parsers.getOrDefault(opcode, defaultParser);
+    }
+
+    public void registerParser(int opcode, PacketParser parser) {
+        parsers.put(opcode, parser);
+    }
+
+    private void registerBuiltInParsers() {
+        // Security Protocol
+        registerParser(1, new KeyExchangeParser());
+    }
+}
--- a/src/main/java/com/gcemu/gcpp/packets/parsers/GenericPayloadParser.java
+++ b/src/main/java/com/gcemu/gcpp/packets/parsers/GenericPayloadParser.java
@ -0,0 +1,38 @@
+package com.gcemu.gcpp.packets.parsers;
+
+import com.gcemu.gcpp.packets.PacketContext;
+import com.gcemu.gcpp.packets.PacketParser;
+import com.gcemu.gcpp.packets.PacketParserFactory;
+
+/**
+ * Generic fallback parser for unrecognized or unimplemented opcodes.
+ *
+ * <p>This parser provides a basic hex dump and string extraction for any
+ * packet, even if no specific parser is registered for its opcode. It
+ * follows the <strong>Null Object Pattern</strong>, providing sensible
+ * defaults instead of null or error states.</p>
+ *
+ * <p>When adding support for a new opcode, replace this parser in
+ * {@link PacketParserFactory} with a specific implementation.</p>
+ */
+public class GenericPayloadParser implements PacketParser {
+    @Override
+    public ParseResult parse(PacketContext context) {
+        var opcode = context.getOpcode();
+        var direction = resolveDirection(context);
+
+        return ParseResult.empty(opcode, direction);
+    }
+
+    private String resolveDirection(PacketContext context) {
+        if (context.isClientToServer()) {
+            return "Client → Server";
+        }
+
+        if (context.isServerToClient()) {
+            return "Server → Client";
+        }
+
+        return "Unknown";
+    }
+}
--- a/src/main/java/com/gcemu/gcpp/packets/parsers/KeyExchangeParser.java
+++ b/src/main/java/com/gcemu/gcpp/packets/parsers/KeyExchangeParser.java
@ -0,0 +1,141 @@
+package com.gcemu.gcpp.packets.parsers;
+
+import com.gcemu.gcpp.packets.Opcode;
+import com.gcemu.gcpp.packets.PacketContext;
+import com.gcemu.gcpp.packets.PacketParser;
+
+import java.nio.ByteBuffer;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+/**
+ * Parser for KEY_EXCHANGE packets (opcode 1).
+ *
+ * <h3>Packet Structure:</h3>
+ * <table border="1">
+ *   <tr><th>Offset</th><th>Size</th><th>Type</th><th>Description</th></tr>
+ *   <tr><td>0</td><td>2</td><td>ushort (BE)</td><td>Opcode (1)</td></tr>
+ *   <tr><td>2</td><td>4</td><td>int (BE)</td><td>Content size (38)</td></tr>
+ *   <tr><td>6</td><td>1</td><td>bool</td><td>Compression flag (false)</td></tr>
+ *   <tr><td>7</td><td>2</td><td>ushort (BE)</td><td>New SPI for session</td></tr>
+ *   <tr><td>9</td><td>4</td><td>int (BE)</td><td>Auth key length</td></tr>
+ *   <tr><td>13</td><td>var</td><td>byte[]</td><td>Authentication key</td></tr>
+ *   <tr><td>var</td><td>4</td><td>int (BE)</td><td>Crypto key length</td></tr>
+ *   <tr><td>var</td><td>var</td><td>byte[]</td><td>Encryption key</td></tr>
+ *   <tr><td>var</td><td>4</td><td>int (BE)</td><td>Sequence number (initial)</td></tr>
+ *   <tr><td>var</td><td>4</td><td>int (BE)</td><td>Last sequence number</td></tr>
+ *   <tr><td>var</td><td>4</td><td>int (BE)</td><td>Replay window mask</td></tr>
+ * </table>
+ *
+ * <p>This is the first packet in every session, sent by the server using
+ * default encryption keys. It establishes the session-specific SPI,
+ * authentication key, and encryption key for all subsequent packets.</p>
+ *
+ * <p>Direction: {@link Opcode.Direction#SERVER_TO_CLIENT}</p>
+ */
+@PacketParser.PacketParserFor(opcode = 1)
+public class KeyExchangeParser implements PacketParser {
+    private static final int CONTENT_OFFSET = 7;
+
+    @Override
+    public ParseResult parse(PacketContext context) {
+        var payload = context.decryptedPayload();
+        var direction = "Server → Client";
+
+        if (payload.length < CONTENT_OFFSET + 38) {
+            return ParseResult.empty(Opcode.KEY_EXCHANGE, direction);
+        }
+
+        try {
+            var content = parseContent(payload);
+            return ParseResult.parsed(
+                Opcode.KEY_EXCHANGE,
+                direction,
+                "KEY_EXCHANGE { spi: ushort, auth_key: bytes, crypto_key: bytes, seq_num: uint, last_seq: uint, replay_mask: uint }",
+                content.fields(),
+                formatContentHex(payload),
+                content.readableText()
+            );
+        } catch (Exception e) {
+            return ParseResult.empty(Opcode.KEY_EXCHANGE, direction);
+        }
+    }
+
+    private record ParsedContent(Map<String, String> fields, String readableText) {}
+
+    private ParsedContent parseContent(byte[] payload) {
+        Map<String, String> fields = new LinkedHashMap<>();
+        var readable = new StringBuilder();
+        var offset = CONTENT_OFFSET;
+
+        // Parse SPI
+        var bb = ByteBuffer.wrap(payload, offset, 2)
+            .order(java.nio.ByteOrder.BIG_ENDIAN);
+        var spi = bb.getShort();
+        offset += 2;
+        fields.put("SPI", String.format("0x%04X", spi));
+
+        // Parse auth key (with length prefix)
+        bb = ByteBuffer.wrap(payload, offset, 4).order(java.nio.ByteOrder.BIG_ENDIAN);
+        var authKeyLen = bb.getInt();
+        offset += 4;
+
+        if (offset + authKeyLen <= payload.length) {
+            var authKey = new byte[authKeyLen];
+            System.arraycopy(payload, offset, authKey, 0, authKeyLen);
+            fields.put("Auth Key", bytesToHex(authKey));
+            offset += authKeyLen;
+        }
+
+        // Parse crypto key (with length prefix)
+        bb = ByteBuffer.wrap(payload, offset, 4).order(java.nio.ByteOrder.BIG_ENDIAN);
+        var cryptoKeyLen = bb.getInt();
+        offset += 4;
+
+        if (offset + cryptoKeyLen <= payload.length) {
+            var cryptoKey = new byte[cryptoKeyLen];
+            System.arraycopy(payload, offset, cryptoKey, 0, cryptoKeyLen);
+            fields.put("Crypto Key", bytesToHex(cryptoKey));
+            offset += cryptoKeyLen;
+        }
+
+        // Parse sequence numbers
+        if (offset + 12 <= payload.length) {
+            bb = ByteBuffer.wrap(payload, offset, 12).order(java.nio.ByteOrder.BIG_ENDIAN);
+            var seqNum = bb.getInt();
+            var lastSeq = bb.getInt();
+            var replayMask = bb.getInt();
+
+            fields.put("Seq Num", String.valueOf(seqNum));
+            fields.put("Last Seq Num", String.valueOf(lastSeq));
+            fields.put("Replay Window Mask", String.format("0x%08X", replayMask));
+        }
+
+        readable.append("spi=0x").append(String.format("%04X", spi));
+        return new ParsedContent(fields, readable.toString());
+    }
+
+    private String bytesToHex(byte[] bytes) {
+        var sb = new StringBuilder();
+
+        for (var b : bytes) {
+            sb.append(String.format("%02X", b));
+        }
+
+        return sb.toString();
+    }
+
+    private String formatContentHex(byte[] data) {
+        var sb = new StringBuilder();
+
+        for (var i = 0; i < data.length; i++) {
+            if (i % 16 == 0 && i > 0) {
+                sb.append("\n");
+            }
+
+            sb.append(String.format("%02X ", data[i]));
+        }
+
+        return sb.toString().trim();
+    }
+}
--- a/src/main/java/com/gcemu/gcpp/pcapng/PcapngParser.java
+++ b/src/main/java/com/gcemu/gcpp/pcapng/PcapngParser.java
@ -0,0 +1,37 @@
+package com.gcemu.gcpp.pcapng;
+
+import fr.bmartel.pcapdecoder.PcapDecoder;
+import fr.bmartel.pcapdecoder.structure.types.IPcapngType;
+import fr.bmartel.pcapdecoder.structure.types.inter.IEnhancedPacketBLock;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
+
+public class PcapngParser {
+    public static final int LINK_TYPE_ETHERNET = 1;
+
+    public List<Packet> parseFile(File file) throws Exception {
+        List<Packet> packets = new ArrayList<>();
+        
+        var decoder = new PcapDecoder(file.getAbsolutePath());
+        decoder.decode();
+        
+        var sectionList = decoder.getSectionList();
+
+        for (IPcapngType block : sectionList) {
+            if (block instanceof IEnhancedPacketBLock epb) {
+                var data = epb.getPacketData();
+                packets.add(new Packet(
+                    data,
+                        LINK_TYPE_ETHERNET
+                ));
+            }
+        }
+        
+        return packets;
+    }
+
+    public record Packet(byte[] packetData, int linkLayerType) {
+    }
+}
--- a/src/main/java/com/gcemu/gcpp/pcapng/TcpPacketParser.java
+++ b/src/main/java/com/gcemu/gcpp/pcapng/TcpPacketParser.java
@ -0,0 +1,173 @@
+package com.gcemu.gcpp.pcapng;
+
+import java.nio.ByteBuffer;
+import java.nio.ByteOrder;
+import java.util.ArrayList;
+import java.util.List;
+
+import static java.util.Objects.isNull;
+
+public class TcpPacketParser {
+    private static final int ETHERNET_HEADER_SIZE = 14;
+    private static final short ETHERNET_TYPE_IPV4 = 0x0800;
+    private static final byte IP_PROTOCOL_TCP = 6;
+
+    public TcpSegment parsePacket(byte[] packetData) {
+        int ipOffset;
+        
+        // Auto-detect packet format by examining the data
+        // This handles cases where the pcapng library reports wrong link type
+        ipOffset = detectIpOffset(packetData);
+        
+        if (ipOffset < 0) {
+            return null; // Failed to parse
+        }
+        
+        return parseIPv4AndTCP(packetData, ipOffset);
+    }
+    
+    /**
+     * Auto-detect where the IP header starts in the packet data.
+     * Handles various link layer types and raw captures.
+     */
+    private int detectIpOffset(byte[] packetData) {
+        if (isNull(packetData) || packetData.length < 20) {
+            return -1;
+        }
+        
+        // Try to detect IPv4 header: first byte should be 0x45 (version 4, IHL 5)
+        for (var offset = 0; offset <= Math.min(40, packetData.length - 20); offset++) {
+            var versionAndIhl = packetData[offset];
+            var version = (versionAndIhl >> 4) & 0x0F;
+            var ihl = versionAndIhl & 0x0F;
+            
+            if (version == 4 && ihl >= 5) {
+                // Looks like IPv4 header, verify protocol field is TCP
+                var headerLength = ihl * 4;
+                if (offset + headerLength + 13 <= packetData.length) {
+                    var protocol = packetData[offset + 9];
+                    if (protocol == IP_PROTOCOL_TCP) {
+                        return offset;
+                    }
+                }
+            }
+        }
+        
+        // Try standard Ethernet header
+        if (packetData.length >= ETHERNET_HEADER_SIZE + 20) {
+            var bb = ByteBuffer.wrap(packetData).order(ByteOrder.BIG_ENDIAN);
+            bb.position(12);
+            var etherType = bb.getShort();
+            
+            if (etherType == ETHERNET_TYPE_IPV4) {
+                return ETHERNET_HEADER_SIZE;
+            }
+        }
+        
+        // Try Linux SLL header (16 bytes)
+        if (packetData.length >= 16 + 20) {
+            var bb = ByteBuffer.wrap(packetData, 14, 2).order(ByteOrder.BIG_ENDIAN);
+            var protocolType = bb.getShort();
+            
+            if (protocolType == ETHERNET_TYPE_IPV4) {
+                return 16;
+            }
+        }
+        
+        return -1;
+    }
+
+    private TcpSegment parseIPv4AndTCP(byte[] packetData, int ipHeaderStart) {
+        if (packetData.length < ipHeaderStart + 20) {
+            System.err.println("  [DEBUG] IPv4: packet too small for IP header (" + packetData.length + " bytes, need " + (ipHeaderStart + 20) + ")");
+            return null;
+        }
+        
+        var ipBb = ByteBuffer.wrap(packetData, ipHeaderStart, packetData.length - ipHeaderStart)
+                                    .order(ByteOrder.BIG_ENDIAN);
+
+        var versionAndIhl = ipBb.get();
+        var ipHeaderLength = (versionAndIhl & 0x0F) * 4;
+        ipBb.get();                    // DSCP/ECN (TOS)
+        ipBb.getShort();
+        ipBb.getShort();               // Identification
+        ipBb.getShort();               // Flags + Fragment Offset
+        ipBb.get();                    // TTL
+        var protocol = ipBb.get();
+        ipBb.getShort();               // Header checksum
+        
+        var srcIp = ipBb.getInt();
+        var dstIp = ipBb.getInt();
+        
+        if (protocol != IP_PROTOCOL_TCP) {
+            return null; // Not TCP
+        }
+        
+        // Parse TCP header
+        var tcpHeaderStart = ipHeaderStart + ipHeaderLength;
+        if (packetData.length < tcpHeaderStart + 20) {
+            return null;
+        }
+        
+        var tcpBb = ByteBuffer.wrap(packetData, tcpHeaderStart, packetData.length - tcpHeaderStart)
+                                     .order(ByteOrder.BIG_ENDIAN);
+        
+        var srcPort = tcpBb.getShort() & 0xFFFF;
+        var dstPort = tcpBb.getShort() & 0xFFFF;
+        var seqNum = tcpBb.getInt();
+        tcpBb.getInt();
+
+        var dataOffsetAndFlags = tcpBb.get();
+        var tcpHeaderLength = ((dataOffsetAndFlags >> 4) & 0x0F) * 4;
+        
+        if (tcpHeaderLength < 20 || tcpHeaderStart + tcpHeaderLength > packetData.length) {
+            return null; // Invalid TCP header
+        }
+
+        var payloadStart = tcpHeaderStart + tcpHeaderLength;
+        var payloadLength = packetData.length - payloadStart;
+        
+        if (payloadLength <= 0) {
+            return null; // No payload
+        }
+        
+        var payload = new byte[payloadLength];
+        System.arraycopy(packetData, payloadStart, payload, 0, payloadLength);
+        
+        return new TcpSegment(
+            intToIp(srcIp),
+            srcPort,
+            intToIp(dstIp),
+            dstPort,
+            seqNum,
+            payload
+        );
+    }
+
+    public static List<TcpSegment> filterByPort(List<TcpSegment> segments, int targetPort) {
+        List<TcpSegment> filtered = new ArrayList<>();
+        for (var segment : segments) {
+            if (segment.srcPort() == targetPort || segment.dstPort() == targetPort) {
+                filtered.add(segment);
+            }
+        }
+
+        return filtered;
+    }
+    
+    private String intToIp(int ip) {
+        return String.format("%d.%d.%d.%d",
+            (ip >> 24) & 0xFF,
+            (ip >> 16) & 0xFF,
+            (ip >> 8) & 0xFF,
+            ip & 0xFF);
+    }
+
+    public record TcpSegment(String srcIp, int srcPort, String dstIp, int dstPort, int sequenceNumber, byte[] payload) {
+        @Override
+            public String toString() {
+                return String.format("%s:%d -> %s:%d [SEQ=%d] %d bytes",
+                        srcIp, srcPort, dstIp, dstPort, sequenceNumber, payload.length);
+            }
+        }
+}
--- a/src/main/java/com/gcemu/gcpp/security/SecurityAssociation.java
+++ b/src/main/java/com/gcemu/gcpp/security/SecurityAssociation.java
@ -0,0 +1,200 @@
+package com.gcemu.gcpp.security;
+
+import lombok.RequiredArgsConstructor;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.DESKeySpec;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.SecretKeyFactory;
+import java.nio.ByteBuffer;
+import java.nio.ByteOrder;
+import java.security.MessageDigest;
+import java.util.Arrays;
+
+@RequiredArgsConstructor
+public class SecurityAssociation {
+    private static final byte[] DEFAULT_CRYPTO_KEY = {
+        (byte) 0xC7, (byte) 0xD8, (byte) 0xC4, (byte) 0xBF,
+        (byte) 0xB5, (byte) 0xE9, (byte) 0xC0, (byte) 0xFD
+    };
+    private static final byte[] DEFAULT_AUTH_KEY = {
+        (byte) 0xC0, (byte) 0xD3, (byte) 0xBD, (byte) 0xC3,
+        (byte) 0xB7, (byte) 0xCE, (byte) 0xB8, (byte) 0xB8
+    };
+    
+    private final byte[] cryptoKey;
+    private final byte[] authKey;
+    private final short spi;
+    
+    /**
+     * Create a security association with default keys (for initial packet).
+     */
+    public SecurityAssociation() {
+        this(DEFAULT_CRYPTO_KEY, DEFAULT_AUTH_KEY, (short) 0);
+    }
+
+    public DecryptionResult decryptPacket(byte[] secureBuffer) {
+        return decryptPacket(secureBuffer, 0);
+    }
+
+    public DecryptionResult decryptPacket(byte[] secureBuffer, int startIndex) {
+        var length = readShort(secureBuffer, startIndex);
+        var spiIndex = startIndex + 2;
+        var ivIndex = startIndex + 8;
+        var payloadIndex = startIndex + 16;
+        var icvIndex = startIndex + length - 10;
+
+        var packetSpi = readShort(secureBuffer, spiIndex);
+        var iv = Arrays.copyOfRange(secureBuffer, ivIndex, ivIndex + 8);
+
+        var payloadLength = length - 16 - 10; // Total - header - ICV
+        var encryptedPayload = Arrays.copyOfRange(secureBuffer, payloadIndex, payloadIndex + payloadLength);
+
+        var storedIcv = Arrays.copyOfRange(secureBuffer, icvIndex, icvIndex + 10);
+
+        var authData = Arrays.copyOfRange(secureBuffer, spiIndex, icvIndex);
+        var icvValid = validateIcv(authData, storedIcv);
+
+        var decryptedPayload = decryptPayload(encryptedPayload, iv);
+        
+        return new DecryptionResult(packetSpi, iv, decryptedPayload, icvValid);
+    }
+
+    private boolean validateIcv(byte[] authData, byte[] storedIcv) {
+        try {
+            var calculatedIcv = calculateIcv(authData);
+            return Arrays.equals(calculatedIcv, storedIcv);
+        } catch (Exception e) {
+            System.err.println("ICV validation error: " + e.getMessage());
+            return false;
+        }
+    }
+
+    private byte[] calculateIcv(byte[] authData) {
+        try {
+            var md = MessageDigest.getInstance("MD5");
+
+            var key = new byte[64];
+            System.arraycopy(authKey, 0, key, 0, Math.min(authKey.length, 64));
+            
+            var ipad = new byte[64];
+            var opad = new byte[64];
+            
+            for (var i = 0; i < 64; i++) {
+                ipad[i] = (byte) (key[i] ^ 0x36);
+                opad[i] = (byte) (key[i] ^ 0x5C);
+            }
+
+            md.update(ipad);
+            var innerHash = md.digest(authData);
+
+            var md2 = MessageDigest.getInstance("MD5");
+            md2.update(opad);
+            var fullHmac = md2.digest(innerHash);
+
+            return Arrays.copyOf(fullHmac, 10);
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to calculate ICV", e);
+        }
+    }
+
+    private byte[] decryptPayload(byte[] encryptedPayload, byte[] iv) {
+        try {
+            var keySpec = new DESKeySpec(cryptoKey);
+            var keyFactory = SecretKeyFactory.getInstance("DES");
+            var key = keyFactory.generateSecret(keySpec);
+            
+            var cipher = Cipher.getInstance("DES/CBC/NoPadding");
+            var ivSpec = new IvParameterSpec(iv);
+            cipher.init(Cipher.DECRYPT_MODE, key, ivSpec);
+            
+            var decrypted = cipher.doFinal(encryptedPayload);
+            
+            // Remove padding
+            var paddingLength = decrypted[decrypted.length - 1] + 1;
+            
+            if (paddingLength > 0 && paddingLength <= decrypted.length) {
+                return Arrays.copyOf(decrypted, decrypted.length - paddingLength);
+            }
+            
+            return decrypted;
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to decrypt payload", e);
+        }
+    }
+    
+    private short readShort(byte[] buffer, int offset) {
+        // Little-endian
+        return (short) ((buffer[offset] & 0xFF) | ((buffer[offset + 1] & 0xFF) << 8));
+    }
+    
+    /**
+     * Parse the initial key exchange packet (opcode 1) to extract new security parameters.
+     * <p>
+     * Initial packet content structure (big-endian):
+     * - New SPI (2 bytes)
+     * - Authentication Key (8 bytes)
+     * - Encryption Key (8 bytes)
+     * - Sequence Number (4 bytes)
+     * - Last Sequence Number (4 bytes)
+     * - Replay Window Mask (4 bytes)
+     */
+    public static SecurityAssociation parseInitialKeyExchange(byte[] decryptedPayload) {
+        try {
+            // Payload header: opcode (2 bytes), content size (4 bytes), compression flag (1 byte)
+            int offset = 7;
+
+            // Parse content (big-endian)
+            var bb = ByteBuffer.wrap(decryptedPayload, offset, decryptedPayload.length - offset);
+            bb.order(ByteOrder.BIG_ENDIAN);
+
+            var newSpi = bb.getShort();
+
+            var authKeyLen = bb.getInt();
+            var newAuthKey = new byte[authKeyLen];
+            bb.get(newAuthKey);
+
+            var cryptoKeyLen = bb.getInt();
+            var newCryptoKey = new byte[cryptoKeyLen];
+            bb.get(newCryptoKey);
+            
+            var seqNum = bb.getInt();
+            bb.getInt();
+            bb.getInt();
+
+            System.out.println("Extracted security parameters from key exchange:");
+            System.out.printf("  SPI: 0x%04X%n", newSpi);
+            System.out.printf("  Auth Key (%d bytes): %s%n", authKeyLen, bytesToHex(newAuthKey));
+            System.out.printf("  Crypto Key (%d bytes): %s%n", cryptoKeyLen, bytesToHex(newCryptoKey));
+            System.out.printf("  Seq Num: %d%n", seqNum);
+
+            return new SecurityAssociation(newCryptoKey, newAuthKey, newSpi);
+        } catch (Exception e) {
+            System.err.println("Failed to parse initial key exchange: " + e.getMessage());
+            return null;
+        }
+    }
+
+    public static boolean isInitialKeyExchange(byte[] decryptedPayload) {
+        if (decryptedPayload.length < 2) {
+            return false;
+        }
+
+        // Big-endian opcode
+        short opcode = (short) (((decryptedPayload[0] & 0xFF) << 8) | (decryptedPayload[1] & 0xFF));
+        return opcode == 1;
+    }
+    
+    private static String bytesToHex(byte[] bytes) {
+        var sb = new StringBuilder();
+
+        for (var b : bytes) {
+            sb.append(String.format("%02X ", b));
+        }
+
+        return sb.toString().trim();
+    }
+
+    public record DecryptionResult(short spi, byte[] iv, byte[] decryptedPayload, boolean icvValid) {
+    }
+}