This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decoding SRTCP Packets

0

Hello,

I am trying to decode SRTCP packets. I have the private key and specified it at Edit -> Preferences -> Protocols -> SSL. My SIP and RTP packets are decoding fine, but my RTCP packets are not. According to the Wiki page for RTCP (https://wiki.wireshark.org/RTCP) at the very bottom of the discussion, it is written, "SRT(C)P handling was recently added to both dissectors. (JaapKeuter)" so I am believing that Wireshark has the ability to SSL decode these packets.

My settings at Edit -> Preferences -> Protocols -> SSL -> RSA Keys List has the correct IP address, rtcp for protocol, and points to the private key. For port, I've tried our SIP/TLS port (we run on a non-standard port), 0, 32513 (the port on which SRTCP packets on this specific capture appear), but no matter what, they Sender Report isn't decrypted to where I can see it. Here's what I get:

Frame 20: 104 bytes on wire (832 bits), 104 bytes captured (832 bits) on interface 0 Ethernet II, Src: Jetcell_bb:15:1b (00:d0:2b:bb:15:1b), Dst: SuperMic_04:29:a4 (00:25:90:04:29:a4) Internet Protocol Version 4, Src: 1.2.3.4, Dst: 1.2.4.4 User Datagram Protocol, Src Port: 12147, Dst Port: 32513 Real-time Transport Control Protocol (Receiver Report) [Stream setup by SDP (frame 6)] 10.. .... = Version: RFC 1889 Version (2) ..0. .... = Padding: False ...0 0000 = Reception report count: 0 Packet type: Receiver Report (201) Length: 1 (8 bytes) Sender SSRC: 0x4f468afd (1330023165) Encrypted RTCP Payload - not dissected [Expert Info (Warning/Undecoded): Encrypted RTCP Payload - not dissected] [Encrypted RTCP Payload - not dissected] [Severity level: Warning] [Group: Undecoded] 1... .... .... .... .... .... .... .... = SRTCP E flag: True .000 0000 0000 0000 0000 0000 0000 0000 = SRTCP Index: 0 (0x00000000) SRTCP Auth Tag: 8210f9afd49d19feda38

Does anyone have decryption of SRTCP packets working? Ideas or advice for making this work?

Thanks,

Dave

asked 13 Oct '17, 06:41

DavidSovereen's gravatar image

DavidSovereen
6112
accept rate: 0%

edited 13 Oct '17, 06:49

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

0

You are aware the TLS and SRTP have little to do with each other, right?

In short they have nothing to to do with each other, while the long answer is that the signalling used for key exchange for the SRTP session may be accessible if the corresponding SDP exchange is accessible through the use of TLS decryption.

When this is not clear, consider the following. SIP is used for session control and SDP for the media session. When Secure RTP is involved, media key exchange has to take place, which can be done through SDP. This is only sensible if the key exchange itself is protected, eg. by (D)TLS. So having the option to decrypt SIP/TLS, and therefore SDP, gives you access to the media encryption keys. That is how this binds together.

This also tells you that it is a matter of using the media encryption keys to decrypt the SRTP and SRTCP packets. Well, Wireshark doesn't do that (yet). What is does do is being aware that the RTP and RTCP packets are encrypted and thus dissect the fields in these packets with that in fact in mind. They therefore also do not show decrypted data, since it is not capable of doing that right now.

answered 13 Oct '17, 08:56

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

We've been running SIP/RTP and are just starting our transition into SIP/TLS and SRTP. I hadn't looked at all into where and how the media encryption keys for RTP were transmitted, but its helpful for you to point this out; your explanation makes perfect sense.

I assumed that SRTP was visible, but now see that it is not. We have a monitoring system for our VoIP network and it decrypts the SIP/TLS traffic with use of the private key. It immediately began generating trouble reports from (S)RTCP packets, and it became apparent that it could not decrypt them.

Is decrypting SRTP and SRTCP packets on a roadmap for Wireshark? Is there a roadmap? If its all volunteer contributions, is there a method for donating or paying a bounty to get new types of analysis, like SRTP/SRTCP decryption done?

Thanks,

Dave

(13 Oct '17, 12:21) DavidSovereen

It would surprise me if the monitoring system would be able to decrypt SIP/TLS but then expects RTP/RTCP to be unencrypted.

As for a roadmap, no there isn't one, other than a rough release schedule. It's all (except the work that Gerald does) volunteers, doing there bit, catching their itch. This particular subject has been itching some of use already, but I've seen nothing come to fruition as of yet.

You could contact the community at the wireshark-dev mailing list to get in touch with a competent developer.

(14 Oct '17, 02:06) Jaap ♦