I am able to decrypt SIP over TLS 1.2 by insertig the keys in the Wireshark Preferences. My question is how does wireshark know that the packet is SIP? is it by port (my port in the example is 5080)? I know that for http2 over TLS it knows by ALPN for example. But in my pcap there is no ALPN so how doe it know that this is SIP?
