Hello, I have a capture in which SIP-TLS is being used. When I look at the packets, I see the TCP port being used for SIP-TLS = 5061. When I go to Preferences -> Protocols -> SIP, the SIP-TLS port = 5061. However, Wireshark only shows the packet as TCP and not SIP-TLS. Why is Wireshark not displaying the packets with TCP port 5061 as SIP-TLS? I have performed the following in Wireshark: 1. Preferences -> Protocols -> TCP -> "Allow subdissector to reassemble TCP streams". I tried enabling and disabling this setting. It had no effect on decoding the SIP-TLS packets. 2. At first RTP packets were also not being decoded by Wireshark. After going to Preferences -> Protocols -> RTP, I enabled the setting "Try to decode RTP outside of conversation" and the RTP packets were properly decoded. asked 22 Apr '15, 06:55  Amato_C |
One Answer:
because it will never do that, as there is no protocol "SIP-TLS" in Wireshark, that's why you see either TCP or SSL (or TLSxxx) in the protocol column. There is however a "translation/resolution" of port 5061 to sips and you will see that in the Info column, if you enable transport name resolution.
So, what you should see is TCP and SSL/TLS (as soon as the client starts the handshake) in the protocol column. If you only see TCP, then there is no SSL/TLS encryption in that session. For any further analysis, we would need a capture file. Can you please upload a sample capture file somewhere (google drive, dropbox, cloudshark.org) and post the link here? Regards answered 22 Apr '15, 07:46  Kurt Knochner ♦ |
Thanks Kurt. When I enabled the Transport name resolution, I see "sips" in the Info column. I was mistakenly expecting SIP-TLS to be presented in the Protocol column.