This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture SIP traffic on LYNC

0

I have to run a long-term capture to find a SIP scenario, which causes some issues. I have downloaded the Lync certificate to Wireshark, and restarted the device I want to capture to get the initial handshake. This works fine Now I want to capture to a file instead, with 15 minutes interval. I restart the device again. The first file that gets saved has the initial handshake, and I'm able to see the SIP traffic. However when the Wireshark starts on the next file, it seems that the "decrytption" stops, and only encrypted packets is displyed. Is there a workaround for this? Let's say I save the capture to file for every 15 minutes, and I need to find a call captured after 2 hours. I can of course disable "Update list of packets in real time" to increase performance, and at the same time put in different filters, to minimize the amount of other traffic.

asked 27 Feb '14, 11:51

gchrist's gravatar image

gchrist
11112
accept rate: 0%


One Answer:

1

I assume wireshark uses the RSA private key you gave it to figure out the master secret and symmetric key exchanged during the TLS handshake, at the start of the Lync's TCP/TLS session. Since only the first file will have those TLS handshake packets, subsequent files can't be decrypted. (the RSA private key is only used during the TLS handshake)

It looks like in preferences->SSL you can tell wireshark that master secret (not the private key, but rather the master secret exchanged during the handshake) in a separate file. But if I recall, TLS uses AES in CBC mode, so without the previous blocks I don't see how it could decrypt those other files. But maybe I'm remembering TLS wrong, so you could try it.

If all else fails, you could write a Lua script to write the unencrypted SIP message contents into multiple files, without using wireshark's built-in multi-file writing.

answered 27 Feb '14, 16:06

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%