1 | initial version |
First thing would be to have access to the media session setup protocol (e.g., SDP in SIP). This can tell the parameters of the media stream, carried by RTP, and the encryption parameters.This will then show up in the related RTP stream, being shown as SRTP.
When this is not available in the capture (e.g., the media session setup protocol is encrypted itself) there's nothing really the RTP dissector can do but to show the packets as if they where RTP. There are some telltale signs you can spot to see if this is SRTP after all. Usually the SRTP packets have a HMAC at the end, increasing the payload beyond what is expected from the media encoder. Sometimes you can spot recognisable patterns in the data (e.g. PCM encoded silence in audio packets). When these are missing it may be SRTP after all. As said, it's not trivial to distinguish the two.