# How can I differentiate RTP and SRTP packets?

Hi there,

I have 2 camera's both streaming video. One should be streaming SRTP and the other RTP.

But when I wireshark the packets, both streams (RTP packets) look the same. They both are listed as RTP (in the protocol column)

Though I get RTSP packets from the one camera, it seems to me the RTP packets are not encrypted at all. I can see the RTP fields and even the payload.

How do I know if SRTP is used? Shouldn't I see SRTP in the protocol column? I'm really confused.

edit retag close merge delete

Add a column for rtp.setup-method

Description: [Setup Method: ZRTP]
Field Name: rtp.setup-method
Value: ZRTP


Can you share a packet capture?
If not, there is a Asterisk_ZFONE_XLITE.pcap Sample SIP call with ZRTP protected media. on the Wireshark wiki which has an example of SRTP.

( 2020-09-11 15:47:42 +0000 )edit

Sort by » oldest newest most voted

First thing would be to have access to the media session setup protocol (e.g., SDP in SIP). This can tell the parameters of the media stream, carried by RTP, and the encryption parameters.This will then show up in the related RTP stream, being shown as SRTP.

When this is not available in the capture (e.g., the media session setup protocol is encrypted itself) there's nothing really the RTP dissector can do but to show the packets as if they where RTP. There are some telltale signs you can spot to see if this is SRTP after all. Usually the SRTP packets have a HMAC at the end, increasing the payload beyond what is expected from the media encoder. Sometimes you can spot recognisable patterns in the data (e.g. PCM encoded silence in audio packets). When these are missing it may be SRTP after all. As said, it's not trivial to distinguish the two.

more

I used RTSPS (encrypted RTSP) to start the RTP stream, so I can't see the parameters in those packets, but I do know they both use h.264 codec for the videostream.

Now because of this, I am able to dissect the RTP packets (for both streams) as h.264 packets. I did this by filling in the RTP dynamic payload type in the H.264 protocol in Wireshark. The value I put in, is the value in the RTP packets headers I already was able to see. link text

Now both stream are detected as h.264 streams and I can even see some h.264 headers. Does this mean both streams are unencrypted?

I really want to create an image/video of this payload to see if one makes a correct/recognizable image/video and the other... guess noise (if it is truly encrypted).

I can't ...(more)

( 2020-09-12 15:50:25 +0000 )edit