> -----Original Message-----
> From: wireshark-dev-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Luis Ontanon
> What about heuristics?
> is there some sort of magic we can use to determine if it is SRTP?
> is there a checksum or similar info we can check?
The trouble with SRTP is basically a worse case than the trouble with
all RTP profiles: they assume out-of-band signalling to have occurred to
allow the receiver to decode them.
In the case of SRTP there is a default SRTP profile which has a standard
encryption and authentication algorithm, standard authentication tag
size and standard (zero) MKI size, but there is no way to know whether
any application has overridden the defaults by heuristics short of brute
force trying of different tag sizes and algorithms. There are
already 2 defined encryption algorithms, and the non-default one is in
common usage too.
Really it needs almost "per stream" preferences - maybe as well as the
right-click "Decode As..." we should have a "Configure this protocol
with...", and a dialogue to allow e.g. the user to enter a decryption
key, tag sizes etc which are saved in the conversatin data for the
protocol and used to redissect it. Is this perhaps a general problem for
other protocols too (e.g. SSL keys) ? I suspect some of the other
preferences should really be per stream but we get away with them
because captures commonly show many streams with the same prerences
(e.g. SCCP is ITU or ANSI - rarely seen together!).
Regards,
Neil
