Wireshark-users: [Wireshark-users] Problem with SSL decryption of Sip traffic
I have imported the server private key and
the log file shows decrypted IP traffic but the packet is only shown as: TLSv1
Record Layer: Application Data Protocol: SSL in the main viewer. Inside
the SSL log file I see a SIP register event. NB I also had to set TCP option
'allow subdissector to reassemble TCP streams' to avoid unreassembled packet in
trace Any
ideas why the SIP data is not shown in the main viewer? Thanks David ssl_init keys string: xxx.xxx.xxx.xxx,5061,SSL,c:\crud\wireshark\spc.pem ssl_init found host entry
xxx.xxx.xxx.xxx,5061,SSL,c:\crud\wireshark\spc.pem ssl_init addr 'xxx.xxx.xxx.xxx' port '5061' filename
'c:\crud\wireshark\spc.pem' password(only for p12 file) '(null)' Private key imported: KeyID 8B:D4: etc ssl_init private key file c:\crud\wireshark\spc.pem
successfully loaded association_add TCP port 5061 protocol SSL handle 00000000 association_add could not find handle for protocol 'SSL',
try to find 'data' dissector association_find: TCP port 993 found 03A98FC0 ssl_association_remove removing TCP 993 - imap handle
029D85B0 association_add TCP port 993 protocol imap handle 029D85B0 association_find: TCP port 995 found 03A99008 ssl_association_remove removing TCP 995 - pop handle
037F0360 association_add TCP port 995 protocol pop handle 037F0360 dissect_ssl enter frame #408 (first time) conversation = 04D4C3C8, ssl_session = 04D4C5A0 dissect_ssl3_record: content_type 23 decrypt_ssl3_record: app_data len 724 ssl, state 0x1F association_find: TCP port 3830 found 00000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 724 Ciphertext[724]: 7d 4d f8 d8 b etc ssl_decrypt_record: allocating 756 bytes for decrypt data
(old len 68) Plaintext[724]: 52 etc ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 704, seq =
0, nxtseq = 704 association_find: TCP port 3830 found 00000000 association_find: TCP port 5061 found 03C86268 dissect_ssl3_record decrypted len 704 decrypted app data fragment: REGISTER sip:a.com SIP/2.0 Via: SIP/2.0/TLS 172.16.2.248:3830 Max-Forwards: 70 From: <sip:fred@xxxxx>;tag=aa3d705e23;epid=7a7f459a4e To: <sip:fred@xxxxx> Call-ID: a86fbad582e9476691334a63a8663eca CSeq: 1 REGISTER Contact: <sip:172.16.1.248:3830;transport=tls;ms-opaque=d222c22bee>;methods="INVITE,
MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER,
BENOTIFY";proxy=replace;+sip.instance="<urn:uuid:E79BC994-FC35-58B0-92EC-E35E5B31BED9>" User-Agent: UCCAPI/3.5.6907.0 OC/3.5.6907.0 (Microsoft
Office Communicator 2007 R2) Supported: gruu-10, adhoclist, msrtc-event-categories Supported: ms-forking ms-keep-alive: UAC;hop-hop=yes Event: registration Content-Length: 0 This message is for the addressee only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any views or opinions expressed are solely those of the author and do not necessarily represent those of IDS. Institute of Development Studies at the University of Sussex, Brighton BN1 9RE Tel: +44 (0)1273 606261; Fax: +44 (0)1273 621202 IDS, a charitable company limited by guarantee: Registered Charity No. 306371; Registered in England 877338; VAT No. GB 350 899914 |
- Follow-Ups:
- Re: [Wireshark-users] Problem with SSL decryption of Sip traffic
- From: Sake Blok
- Re: [Wireshark-users] Problem with SSL decryption of Sip traffic
- Prev by Date: Re: [Wireshark-users] unable to see radiotap header
- Next by Date: Re: [Wireshark-users] Problem with SSL decryption of Sip traffic
- Previous by thread: Re: [Wireshark-users] Wireshark-users: Description Tools of Wireshark / Descripcion de barra de herramientas de wireshark
- Next by thread: Re: [Wireshark-users] Problem with SSL decryption of Sip traffic
- Index(es):
- Get Wireshark
- Download
- Code of Conduct