Ask Your Question
0

Capture encrypted VoIP calls with Wireshark ?

asked 2017-11-18 16:54:41 +0000

zamar24 gravatar image

updated 2017-11-19 13:04:39 +0000

I'm trying to capture wired VoIP calls between 2 TextNow apps installed on different Windows 10 workstations on the same LAN, by running Wireshark 2.4.2 on one of these workstations. However, after the call is captured, nothing shows up under Telephony - VoIP Calls, or any other Telephony Wireshark menu option. Why is that, and how to make these calls to show up in the Telephony window, so I can listen to them and analyze? Captured traffic during such call is presented by Wireshark as primarily UDP and STUN packets between one TextNow client and a TextNow web server running at Amazon Cloud redirecting the call to another TextNow client on my LAN, but no SIP packets.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-11-18 18:05:24 +0000

sindy gravatar image

Hard to say without seeing a capture, but in general, SIP and RTP are just the most well-known protocols used to transport VoIP signalling and media respectively. Some applications use their own protocols for the same purpose, and if these are new or obscure enough, Wireshark may not be able to identify them as VoIP-related ones yet. And if they are encrypted, it may never be.

edit flag offensive delete link more

Comments

Is there a way to send you the .pcap file, may be to PM or email? These files usually contain too much specific data to post them on a public forum unedited. I doubt TextNow uses their own protocol since this app allows to call any other softphones, ATAs, mobiles and landlines.

zamar24 gravatar imagezamar24 ( 2017-11-18 18:11:20 +0000 )edit

I'm afraid I was right. Your capture contains a bi-directional RTP exchange using an unknown codec (payload type number 111 can only be dynamically assigned per session so no codec is associated to it by default) and the call control protocol uses TLS encryption. The STUN requests contain username RTC-d50.... which suggests (although doesn't guarantee) that WebRTC technology is used.

I doubt TextNow uses their own protocol since this app allows to call any other softphones

An app like this rarely lives on its own, it usually has got some support infrastructure somewhere in the cloud, which provides gateway functionality allowing to interwork with other services. See this Wikipedia article for the idea. Depending on the business model, even calls to/from landline/mobile phones are possible via SIP.

There was a chance that the codec used was Opus - this was a wild guess based on the fact ...(more)

sindy gravatar imagesindy ( 2017-11-18 19:42:52 +0000 )edit

Thanks for the feedback. I think you're right regarding the cloud infrastructure and protocol exchange gateway. Does that mean Wireshark looses some ground in capturing and analyzing modern VoIP traffic? In that regard, what package would you suggest to capture and listen to this traffic? Also, any VoIP Recording package you know allows to capture a single call randomly directed by Windows via several NICs at different call stages, even if not encrypted like this?

zamar24 gravatar imagezamar24 ( 2017-11-18 20:19:30 +0000 )edit

Well, the very idea of encryption is that witty folks using Wireshark (or anything else for that matter) would not be able to record the calls and listen to them.

So if you can get the TLS sessions' secrets from your browser, you can decrypt your own TLS sessions (unless DH key negotiation was used), but without that data - game over. If the app is self-sufficient, i.e. doesn't run in browser window, you'll not be able to decipher even your own calls.

Which brings me to an idea that the codec used might have actually been Opus but the RTP may have been an SRTP in fact - the two are indistinguishable as the only difference is the payload, so only the signalling information could tell whether SRTP was used or not.

sindy gravatar imagesindy ( 2017-11-18 22:02:32 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2017-11-18 16:54:41 +0000

Seen: 2,735 times

Last updated: Nov 19 '17

Related questions

Why redirection of VoIP calls to voicemail fails?

Now that the g.729 codec patent has expired, will Wireshark include a decoder for it?

Channel and capture VoIP traffic on a dedicated NIC?

Having issues with RTP not showing up in Voip Calls flow sequence in version 2.4.2.

How to remove SID frame from RTP Jitter calculation ?

How to decrypt zigbee traffic?

RTP player playback issue

How to correlate output of tshark rtp.heuristic_rtp:TRUE with dialed phone numbers

encrypted trace question

Can't see encrypted application data in SSL session

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2