Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] Problem with SSL decryption of Sip traffic

From: David Beaven <D.Beaven@xxxxxxxxx>
Date: Wed, 8 Apr 2009 09:20:16 +0100

I have imported the server private key and the log file shows decrypted IP traffic but the packet is only shown as: TLSv1 Record Layer: Application Data Protocol: SSL in the main viewer.  Inside the SSL log file I see a SIP register event.  NB I also had to set  TCP option 'allow subdissector to reassemble TCP streams' to avoid unreassembled packet in trace

Any ideas why the SIP data is not shown in the main viewer?

 

Thanks

David

 

ssl_init keys string:

xxx.xxx.xxx.xxx,5061,SSL,c:\crud\wireshark\spc.pem

ssl_init found host entry xxx.xxx.xxx.xxx,5061,SSL,c:\crud\wireshark\spc.pem

ssl_init addr 'xxx.xxx.xxx.xxx' port '5061' filename 'c:\crud\wireshark\spc.pem' password(only for p12 file) '(null)'

Private key imported: KeyID 8B:D4: etc

ssl_init private key file c:\crud\wireshark\spc.pem successfully loaded

association_add TCP port 5061 protocol SSL handle 00000000

association_add could not find handle for protocol 'SSL', try to find 'data' dissector

association_find: TCP port 993 found 03A98FC0

ssl_association_remove removing TCP 993 - imap handle 029D85B0

association_add TCP port 993 protocol imap handle 029D85B0

association_find: TCP port 995 found 03A99008

ssl_association_remove removing TCP 995 - pop handle 037F0360

association_add TCP port 995 protocol pop handle 037F0360

 

dissect_ssl enter frame #408 (first time)

  conversation = 04D4C3C8, ssl_session = 04D4C5A0

dissect_ssl3_record: content_type 23

decrypt_ssl3_record: app_data len 724 ssl, state 0x1F

association_find: TCP port 3830 found 00000000

packet_from_server: is from server - FALSE

decrypt_ssl3_record: using client decoder

ssl_decrypt_record ciphertext len 724

Ciphertext[724]:

7d 4d f8 d8 b etc

 

ssl_decrypt_record: allocating 756 bytes for decrypt data (old len 68)

Plaintext[724]:

52 etc

 

ssl_decrypt_record: mac ok

ssl_add_data_info: new data inserted data_len = 704, seq = 0, nxtseq = 704

association_find: TCP port 3830 found 00000000

association_find: TCP port 5061 found 03C86268

dissect_ssl3_record decrypted len 704

decrypted app data fragment: REGISTER sip:a.com SIP/2.0

 

Via: SIP/2.0/TLS 172.16.2.248:3830

 

Max-Forwards: 70

 

From: <sip:fred@xxxxx>;tag=aa3d705e23;epid=7a7f459a4e

 

To: <sip:fred@xxxxx>

 

Call-ID: a86fbad582e9476691334a63a8663eca

 

CSeq: 1 REGISTER

 

Contact: <sip:172.16.1.248:3830;transport=tls;ms-opaque=d222c22bee>;methods="INVITE, MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER, BENOTIFY";proxy=replace;+sip.instance="<urn:uuid:E79BC994-FC35-58B0-92EC-E35E5B31BED9>"

 

User-Agent: UCCAPI/3.5.6907.0 OC/3.5.6907.0 (Microsoft Office Communicator 2007 R2)

 

Supported: gruu-10, adhoclist, msrtc-event-categories

 

Supported: ms-forking

 

ms-keep-alive: UAC;hop-hop=yes

 

Event: registration

 

Content-Length: 0

 


This message is for the addressee only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any views or opinions expressed are solely those of the author and do not necessarily represent those of IDS. Institute of Development Studies at the University of Sussex, Brighton BN1 9RE Tel: +44 (0)1273 606261; Fax: +44 (0)1273 621202 IDS, a charitable company limited by guarantee: Registered Charity No. 306371; Registered in England 877338; VAT No. GB 350 899914