This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

problem decoding SIP TLS - only one side decoded

0

Hi, I'm having problem with decoding captured SIP TLS connection. I have the server private key. However, after configuring wireshark to decode packets I can see only one side of the connection (for example I can see REGISTER packet) but I can not see the response - it's ciphered. Can any one help me?

Here is a debug of such connection

Private key imported: KeyID 77:2e:3c:63:01:24:eb:29:8d:ad:35:e5:6d:35:db:a5:...
ssl_init IPv4 addr '10.0.4.63' (10.0.4.63) port '5061' filename 'D:\asterisk.key' password(only for p12 file) ''
ssl_init private key file D:\asterisk.key successfully loaded.
association_add TCP port 5061 protocol sip handle 0000000005B16760

dissect_ssl enter frame #5 (first time) ssl_session_init: initializing ptr 0000000007071FB8 size 680 conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 98 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 93, ssl state 0x00 association_find: TCP port 8003 found 0000000000000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 89 bytes, remaining 98 packet_from_server: is from server - FALSE ssl_find_private_key server 10.0.4.63:5061 dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #8 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 1448 dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 74, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57) dissect_ssl3_hnd_srv_hello can't generate keyring material record: offset = 79, reported_length_remaining = 1369 need_desegmentation: offset = 79, reported_length_remaining = 1369

dissect_ssl enter frame #9 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 1448 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 74, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x17 ssl_restore_session can't find stored session dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57) dissect_ssl3_hnd_srv_hello can't generate keyring material record: offset = 79, reported_length_remaining = 1369 need_desegmentation: offset = 79, reported_length_remaining = 1369

dissect_ssl enter frame #10 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 2125 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 2111, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 5 length 2107 bytes, remaining 2116 record: offset = 2116, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 4, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 2121 length 0 bytes, remaining 2125

dissect_ssl enter frame #14 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 182 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 134, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139 pre master encrypted[128]: 5d e9 aa 35 6e e1 12 6c 06 ef 2b c3 03 44 0f 7a f4 ed 00 f3 9d 95 93 98 a4 94 3a 35 51 ab 38 ff 9b a3 69 4e 46 51 c6 5f 53 ef 34 75 c5 fa 99 ef 4d 4a 7e dc ab 4d b7 80 3e a0 55 cb e3 f2 c0 04 ff da 57 d6 35 bb 3d 63 aa 4d e0 87 2b 29 58 50 d4 c0 45 04 f3 2a 6d 06 da c3 e3 6a f9 cd 4b 9e 03 a0 7b 0f 60 cf dc 9d 9f 29 c7 40 a7 20 f7 5c f6 c8 0c 0a 3c d0 7f a5 4f e0 19 2f 47 41 2d 7e ssl_decrypt_pre_master_secret:RSA_private_decrypt pcry_private_decrypt: stripping 79 bytes, decr_len 127 decrypted_unstrip_pre_master[127]: 02 bc 5b 1e a2 bd 1c 4d 26 2c 12 31 af 1b ac 10 07 e8 a1 f8 93 ea 18 95 8b 9e 64 7f a4 1b 08 52 a8 34 53 c1 58 f7 be 06 6e eb d3 6d 32 61 e0 d8 ba f7 62 b8 b0 1e 1a 4d ea 97 ff 05 f9 42 d5 f7 d4 a6 4c 9f c1 ed e4 94 91 5c 1f 74 d2 5d 00 03 01 51 f4 b5 f8 c8 cf e7 8f db 96 d3 1a b5 b2 d2 24 55 85 48 4b 89 46 23 19 9c 3a 2f e6 a9 79 8f 47 50 51 1c d1 4d 0e d1 a6 e1 fe 69 7f 32 c8 pre master secret[48]: 03 01 51 f4 b5 f8 c8 cf e7 8f db 96 d3 1a b5 b2 d2 24 55 85 48 4b 89 46 23 19 9c 3a 2f e6 a9 79 8f 47 50 51 1c d1 4d 0e d1 a6 e1 fe 69 7f 32 c8 ssl_generate_keyring_material:PRF(pre_master_secret) pre master secret[48]: 03 01 51 f4 b5 f8 c8 cf e7 8f db 96 d3 1a b5 b2 d2 24 55 85 48 4b 89 46 23 19 9c 3a 2f e6 a9 79 8f 47 50 51 1c d1 4d 0e d1 a6 e1 fe 69 7f 32 c8 client random[32]: 4e ca e6 1c 90 58 cf 50 c9 45 fb b7 f9 fc 34 36 54 53 c5 9c 54 36 c8 c4 a4 bd 61 05 fe 5e f5 77 server random[32]: 50 2a 58 c7 b7 e2 66 00 8c b1 66 68 e3 c6 5f b6 1b db 6d bc 83 4b 4e 6f ca 39 d2 cc b0 24 81 c4 tls_prf: tls_hash(md5 secret_len 24 seed_len 77 ) tls_hash: hash secret[24]: 03 01 51 f4 b5 f8 c8 cf e7 8f db 96 d3 1a b5 b2 d2 24 55 85 48 4b 89 46 tls_hash: hash seed[77]: 6d 61 73 74 65 72 20 73 65 63 72 65 74 4e ca e6 1c 90 58 cf 50 c9 45 fb b7 f9 fc 34 36 54 53 c5 9c 54 36 c8 c4 a4 bd 61 05 fe 5e f5 77 50 2a 58 c7 b7 e2 66 00 8c b1 66 68 e3 c6 5f b6 1b db 6d bc 83 4b 4e 6f ca 39 d2 cc b0 24 81 c4 hash out[48]: df b8 de 0f a1 50 08 a3 0c 78 f5 10 67 e0 d4 ed 6c 53 89 99 1b 76 f7 62 a6 55 c8 da b6 bf e7 5b 09 6f 8e ff 90 8c 45 5e 72 96 d0 d4 9e fe a2 e0 tls_prf: tls_hash(sha) tls_hash: hash secret[24]: 23 19 9c 3a 2f e6 a9 79 8f 47 50 51 1c d1 4d 0e d1 a6 e1 fe 69 7f 32 c8 tls_hash: hash seed[77]: 6d 61 73 74 65 72 20 73 65 63 72 65 74 4e ca e6 1c 90 58 cf 50 c9 45 fb b7 f9 fc 34 36 54 53 c5 9c 54 36 c8 c4 a4 bd 61 05 fe 5e f5 77 50 2a 58 c7 b7 e2 66 00 8c b1 66 68 e3 c6 5f b6 1b db 6d bc 83 4b 4e 6f ca 39 d2 cc b0 24 81 c4 hash out[48]: 8a 99 cc a8 29 36 9e 06 4c 95 0c f3 b2 a0 16 19 96 5d 60 d2 f8 2d 46 bb 48 10 f8 4b 4f 93 63 4c d6 3b fd 72 a7 2a 1f 45 82 7c aa 40 4c ce 69 98 PRF out[48]: 55 21 12 a7 88 66 96 a5 40 ed f9 e3 d5 40 c2 f4 fa 0e e9 4b e3 5b b1 d9 ee 45 30 91 f9 2c 84 17 df 54 73 8d 37 a6 5a 1b f0 ea 7a 94 d2 30 cb 78 master secret[48]: 55 21 12 a7 88 66 96 a5 40 ed f9 e3 d5 40 c2 f4 fa 0e e9 4b e3 5b b1 d9 ee 45 30 91 f9 2c 84 17 df 54 73 8d 37 a6 5a 1b f0 ea 7a 94 d2 30 cb 78 ssl_generate_keyring_material sess key generation tls_prf: tls_hash(md5 secret_len 24 seed_len 77 ) tls_hash: hash secret[24]: 55 21 12 a7 88 66 96 a5 40 ed f9 e3 d5 40 c2 f4 fa 0e e9 4b e3 5b b1 d9 tls_hash: hash seed[77]: 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 50 2a 58 c7 b7 e2 66 00 8c b1 66 68 e3 c6 5f b6 1b db 6d bc 83 4b 4e 6f ca 39 d2 cc b0 24 81 c4 4e ca e6 1c 90 58 cf 50 c9 45 fb b7 f9 fc 34 36 54 53 c5 9c 54 36 c8 c4 a4 bd 61 05 fe 5e f5 77 hash out[64]: 85 19 05 4d 00 32 38 02 fd a7 18 7b 63 b6 72 58 4b 86 4c 98 28 c3 6b d6 f5 61 a1 92 46 b8 a8 65 34 44 10 96 e2 c5 6c b5 a2 f4 61 5e 68 f0 e6 5e e1 6f f4 18 4a 08 9a 48 34 11 78 21 f4 6f eb 62 tls_prf: tls_hash(sha) tls_hash: hash secret[24]: ee 45 30 91 f9 2c 84 17 df 54 73 8d 37 a6 5a 1b f0 ea 7a 94 d2 30 cb 78 tls_hash: hash seed[77]: 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 50 2a 58 c7 b7 e2 66 00 8c b1 66 68 e3 c6 5f b6 1b db 6d bc 83 4b 4e 6f ca 39 d2 cc b0 24 81 c4 4e ca e6 1c 90 58 cf 50 c9 45 fb b7 f9 fc 34 36 54 53 c5 9c 54 36 c8 c4 a4 bd 61 05 fe 5e f5 77 hash out[64]: a1 3e f6 ca 12 2e 1d 17 fe d0 8e 89 3a 75 17 24 6a 9b 50 8c 4d 54 d4 26 0c 58 32 a2 27 65 15 b1 17 a4 de cc f8 ac fb a0 e6 c1 0a ce 37 33 8a e1 ec 01 18 90 05 d1 4e 4e 15 76 9e a8 8b b3 0b 56 PRF out[64]: 24 27 f3 87 12 1c 25 15 03 77 96 f2 59 c3 65 7c 21 1d 1c 14 65 97 bf f0 f9 39 93 30 61 dd bd d4 23 e0 ce 5a 1a 69 97 15 44 35 6b 90 5f c3 6c bf 0d 6e ec 88 4f d9 d4 06 21 67 e6 89 7f dc e0 34 key expansion[64]: 24 27 f3 87 12 1c 25 15 03 77 96 f2 59 c3 65 7c 21 1d 1c 14 65 97 bf f0 f9 39 93 30 61 dd bd d4 23 e0 ce 5a 1a 69 97 15 44 35 6b 90 5f c3 6c bf 0d 6e ec 88 4f d9 d4 06 21 67 e6 89 7f dc e0 34 Client MAC key[16]: 24 27 f3 87 12 1c 25 15 03 77 96 f2 59 c3 65 7c Server MAC key[16]: 21 1d 1c 14 65 97 bf f0 f9 39 93 30 61 dd bd d4 Client Write key[16]: 23 e0 ce 5a 1a 69 97 15 44 35 6b 90 5f c3 6c bf Server Write key[16]: 0d 6e ec 88 4f d9 d4 06 21 67 e6 89 7f dc e0 34 Client Write IV[8]: 00 00 00 00 00 00 00 00 Server Write IV[8]: c0 d0 27 00 00 00 00 00 ssl_generate_keyring_material ssl_create_decoder(client) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 16) ssl_generate_keyring_material ssl_create_decoder(server) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 16) ssl_generate_keyring_material: client seq 0, server seq 0 ssl_save_session stored session id[32]: af dd 5f fb 98 29 74 f7 1c 0d 91 37 94 cd 95 8b ed 2e f0 b4 ea e0 5a 79 94 31 00 0e a0 e8 b0 89 ssl_save_session stored master secret[48]: 55 21 12 a7 88 66 96 a5 40 ed f9 e3 d5 40 c2 f4 fa 0e e9 4b e3 5b b1 d9 ee 45 30 91 f9 2c 84 17 df 54 73 8d 37 a6 5a 1b f0 ea 7a 94 d2 30 cb 78 dissect_ssl3_handshake session keys successfully generated record: offset = 139, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 145, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 32, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 32 Ciphertext[32]: f3 cc a1 1f 1c 04 c3 04 43 19 84 42 33 8e 0d d4 77 46 27 74 1a 9c 53 7d 86 cb 79 f9 c5 7d 61 2d Plaintext[32]: 14 00 00 0c 07 14 6d 39 0a ad 54 2f af 9e f9 f8 9a c9 2a 7c 36 69 7d cd 29 bf c8 c0 b0 e5 43 23 checking mac (len 16, version 301, ct 22 seq 0) tls_check_mac mac type:MD5 md 1 Mac[16]: 9a c9 2a 7c 36 69 7d cd 29 bf c8 c0 b0 e5 43 23 ssl_decrypt_record: mac ok dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16

dissect_ssl enter frame #15 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 6, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 32, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 32 Ciphertext[32]: 9c 2e 94 9e 40 17 8f 0c 32 d6 28 49 ee 0b b9 86 f7 f0 a3 d8 30 50 f2 50 3b 55 f0 1d d4 0d 25 8d Plaintext[32]: 14 00 00 0c 70 f7 4f f8 13 a2 cc 62 1e 14 d6 ad 84 9b 01 62 07 02 e7 a0 59 4f fe e2 7a 1a d3 8c checking mac (len 16, version 301, ct 22 seq 0) tls_check_mac mac type:MD5 md 1 Mac[16]: 84 9b 01 62 07 02 e7 a0 59 4f fe e2 7a 1a d3 8c ssl_decrypt_record: mac ok dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16

dissect_ssl enter frame #16 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 6, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 32, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 156 offset 11 length 3052702 bytes, remaining 43

dissect_ssl enter frame #18 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 513 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 508, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 508 Ciphertext[508]: f0 22 9a 0b ec 67 48 1e e9 45 85 8f 17 0c 40 6e d1 a6 58 9b 02 98 22 ba 76 d1 a7 b1 80 48 96 a5 0c 77 78 2c 62 74 20 40 80 ec 3a 6f d9 d5 02 20 35 8b eb 26 42 8a 6b 17 2d ae 55 59 61 83 48 6f f4 6d 45 9f d2 ab 1b e9 ca 90 86 3c d7 8c 04 45 1a 5b db d0 ec 3d a9 99 37 d9 d0 f0 6a 0e 3b e0 dc 2d a8 9f 43 31 a5 5f 16 90 68 17 82 c3 56 b4 fb cf 83 88 55 4e b0 15 ce c8 8b 26 97 b9 bc 3c 6a 1b e3 9d 3c 84 3d 39 ac 61 72 19 1e 69 1e 01 44 81 a1 b0 78 a5 4b b0 cb af 98 e6 da f9 4c f5 07 58 73 10 1e ca ff 9c 52 b9 04 91 0c d9 84 f5 94 e6 76 fd b3 19 19 ca b8 cd 79 92 8c 4d 60 6a da 03 66 d4 7f 80 73 45 45 f7 c1 52 4b 27 9e 8b 51 f4 0d 9c a3 e0 b2 49 81 0d 4e b0 16 d3 5f 2e e5 e9 7f 3a 2e a7 5f 5b 9b 52 08 96 9d 45 f0 73 70 4c 27 04 cd cc 61 9d 1d a0 e9 c3 59 09 d6 02 b0 7b f7 64 6c 98 77 f0 ec 2d 7b 1a b6 15 d2 b9 d3 47 ca 49 6a b7 11 f2 c9 14 93 ee 25 21 5d 06 37 fb b0 b0 72 36 2a 50 bb d3 42 9b 5c 60 91 20 16 92 3c 80 df 2e 53 a8 d4 ea 67 ac f2 f2 18 fe 90 0a fa f6 82 66 3d a3 68 0d 1f 8c 6c f9 1b c0 78 7f 1b db 9d 1b 9b 0f 67 a2 a8 ba 03 ac fe b7 3d 75 a4 46 fd d2 96 d0 2f c4 3a 5a 0e 13 a3 2a 30 a8 91 f9 b5 74 cf b4 62 5f f4 5f 19 46 d6 5a 17 fd 7b d6 83 08 69 d1 92 49 fd 83 f1 14 60 b6 cd e1 aa 4c 20 83 04 39 4a 23 db d0 ca 3b b6 8b 94 4d 9f 48 7c 60 18 f2 31 07 f1 9a cf 08 76 d0 73 ac 9c d6 f3 ac 26 67 62 6c 7d 12 6b 09 28 28 99 28 c0 5b 4d 13 a8 ad be fb 43 24 70 4f 1c 48 c5 91 b3 35 3b 74 fb 6b 98 fb df 0f ef 91 af 24 e9 22 a2 7a 1b 16 88 ac 9d 9a 85 f8 f3 23 d2 c7 18 f4 bd 31 e9 7f 02 6a d7 1a 18 9b ssl_decrypt_record: allocating 540 bytes for decrypt data (old len 32) Plaintext[508]: 52 45 47 49 53 54 45 52 20 73 69 70 3a 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 20 53 49 50 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 4c 53 20 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 36 33 33 32 32 31 36 33 30 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 31 32 37 39 38 38 34 36 30 36 0d 0a 54 6f 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 0d 0a 43 61 6c 6c 2d 49 44 3a 20 38 30 30 35 33 37 33 39 33 40 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 43 53 65 71 3a 20 31 20 52 45 47 49 53 54 45 52 0d 0a 43 6f 6e 74 61 63 74 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 74 72 61 6e 73 70 6f 72 74 3d 54 4c 53 3e 0d 0a 41 6c 6c 6f 77 3a 20 49 4e 56 49 54 45 2c 20 49 4e 46 4f 2c 20 50 52 41 43 4b 2c 20 41 43 4b 2c 20 42 59 45 2c 20 43 41 4e 43 45 4c 2c 20 4f 50 54 49 4f 4e 53 2c 20 4e 4f 54 49 46 59 2c 20 52 45 47 49 53 54 45 52 2c 20 53 55 42 53 43 52 49 42 45 2c 20 52 45 46 45 52 2c 20 50 55 42 4c 49 53 48 2c 20 55 50 44 41 54 45 2c 20 4d 45 53 53 41 47 45 0d 0a 4d 61 78 2d 46 6f 72 77 61 72 64 73 3a 20 37 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 65 61 6c 69 6e 6b 20 53 49 50 2d 54 32 38 50 20 32 2e 36 31 2e 30 2e 37 30 0d 0a 45 78 70 69 72 65 73 3a 20 36 30 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d 0a 8c 2f bf 4e df 16 d6 8f 3e b0 cb 65 72 52 e5 28 checking mac (len 492, version 301, ct 23 seq 1) tls_check_mac mac type:MD5 md 1 Mac[16]: 8c 2f bf 4e df 16 d6 8f 3e b0 cb 65 72 52 e5 28 ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 492, seq = 0, nxtseq = 492 association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 492 decrypted app data fragment: REGISTER sip:10.0.4.63:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK633221630

From: <sip:[email protected]:5061>;tag=1279884606

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 1 REGISTER

Contact: <sip:[email protected]:5062;transport=TLS>

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Expires: 60

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #19 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 523 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 518, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #20 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 523 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 518, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #22 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 677 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 672, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 672 Ciphertext[672]: 6e 67 b7 b4 af ed f2 e2 8e b7 f3 d2 f0 d6 2c 72 7f c8 06 23 e4 44 98 d0 5c d4 61 9d 8f 80 a5 9b ec d8 b0 65 f6 f6 67 8e 1b e0 87 d5 f7 ea eb 78 dd 3a d8 e1 e5 2d b3 df ed df 09 af 99 ab 5a be c7 d0 e9 6e 63 d5 cd 91 ef 30 9e 9d ce 2c d5 56 19 e2 98 a1 6e 15 0b ce 5f 40 ab dc 1b 48 8d 18 94 f6 6c 60 ea 1d fa 27 8b 89 e4 7f ed c2 3b 8c c3 3a 18 e5 88 7a ee 75 cf 7e cb 64 b4 73 a0 d5 11 a3 6a 4c 37 56 d3 04 a2 46 33 1e d0 b2 32 e3 e6 bc 47 be c1 39 bb ff d2 a0 d5 5c 02 f0 dd 97 c2 bc b6 ff 75 df 15 1d 8d 3b aa ab 43 e3 2e 20 44 4a 65 99 53 33 75 ce 6f 00 8c 8a 79 01 26 3f 59 f3 56 ce c7 a1 39 d5 8c 64 f0 c9 5f f3 55 29 ad be 1a 32 76 e5 da d8 d3 db 03 b5 17 de 9c e4 80 dc 17 8c 68 89 73 28 13 b0 92 48 4b e1 7d 91 23 24 c8 be 3e 4c c6 93 59 ff 8a 57 b4 54 66 3e a6 bd 93 c4 7d d8 60 1c 59 bb 24 f6 25 da 46 39 51 2f b7 cb 59 fe 85 76 6c 9a 14 b5 b4 ce 38 2e f1 33 99 e1 d0 5a eb 2d 7f cd a4 44 c4 20 de 7b c5 19 96 3f 35 94 22 9e 1c e3 b2 fc 36 86 08 95 a9 cf 07 d0 75 9a 7b f0 ee a8 f7 8f 47 a1 17 e3 50 46 21 04 56 a8 cb 04 e3 c5 a9 d2 f6 8c 0c e8 db 08 b8 d0 2d 4f fd ed 61 4a 5e 92 b1 ab 8d fc 4e 86 c5 94 95 36 13 59 e8 f6 5a c2 bd c2 20 c6 f5 74 e6 34 26 b1 fc 69 da 48 72 f2 23 4c 71 fc c0 af 12 f9 4a e6 dd c6 e8 a8 7f 67 90 52 c1 1e a2 bb 78 00 a8 44 36 4a c5 8b d7 97 50 ea f1 10 30 ac 88 99 4c a6 6d 0a 34 59 99 c8 cf 3e ff a0 e2 3f ea be 0a f9 05 fc c6 24 91 89 1a b1 a9 23 8e af 84 0c de 92 67 41 2c c6 86 05 bf 52 46 69 45 7e 63 61 0a 8c 3b c6 ed a2 40 b3 74 2e 34 ce 4f d0 41 84 49 29 2b 3a 63 1a 7e 38 40 04 f8 62 1a ea c5 08 e6 8a 2e 0b 0c 9a 10 f2 1a ff d6 52 5a 10 22 b8 40 18 cd 66 93 3e 42 f4 d6 43 d1 6a 9a 86 7f 93 f8 f1 f2 90 3f cc 92 a1 a5 ff 58 7d 1f 43 90 de 7f 32 bb 2d 3a bf 77 71 32 e3 63 46 ef 9e a6 99 d2 de 00 74 b8 f3 32 3e 57 af 1d b0 41 aa 70 fc b0 df e9 54 fc c9 a4 95 73 40 4f d9 2d ef c8 8b a9 f3 a0 d0 68 13 d6 f0 1d 26 bb 0a 3e e5 ed 82 40 b1 a4 95 db 2d 47 9e 5c 36 de 71 ef 2f 56 9a 95 a6 65 aa 6b ab c7 3e b1 35 5d fe 77 e0 6c 68 c7 87 64 82 4b a7 24 17 5a af 64 2d ssl_decrypt_record: allocating 704 bytes for decrypt data (old len 540) Plaintext[672]: 52 45 47 49 53 54 45 52 20 73 69 70 3a 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 20 53 49 50 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 4c 53 20 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 31 38 34 37 32 38 33 38 38 30 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 31 32 37 39 38 38 34 36 30 36 0d 0a 54 6f 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 0d 0a 43 61 6c 6c 2d 49 44 3a 20 38 30 30 35 33 37 33 39 33 40 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 43 53 65 71 3a 20 32 20 52 45 47 49 53 54 45 52 0d 0a 43 6f 6e 74 61 63 74 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 74 72 61 6e 73 70 6f 72 74 3d 54 4c 53 3e 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 44 69 67 65 73 74 20 75 73 65 72 6e 61 6d 65 3d 22 74 65 73 74 30 30 31 22 2c 20 72 65 61 6c 6d 3d 22 43 61 6c 6c 2d 65 58 22 2c 20 6e 6f 6e 63 65 3d 22 31 33 35 36 61 37 37 62 22 2c 20 75 72 69 3d 22 73 69 70 3a 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 22 2c 20 72 65 73 70 6f 6e 73 65 3d 22 37 31 31 38 65 39 32 32 38 62 65 62 32 37 31 33 34 35 61 30 66 65 32 62 63 38 61 64 32 33 33 32 22 2c 20 61 6c 67 6f 72 69 74 68 6d 3d 4d 44 35 0d 0a 41 6c 6c 6f 77 3a 20 49 4e 56 49 54 45 2c 20 49 4e 46 4f 2c 20 50 52 41 43 4b 2c 20 41 43 4b 2c 20 42 59 45 2c 20 43 41 4e 43 45 4c 2c 20 4f 50 54 49 4f 4e 53 2c 20 4e 4f 54 49 46 59 2c 20 52 45 47 49 53 54 45 52 2c 20 53 55 42 53 43 52 49 42 45 2c 20 52 45 46 45 52 2c 20 50 55 42 4c 49 53 48 2c 20 55 50 44 41 54 45 2c 20 4d 45 53 53 41 47 45 0d 0a 4d 61 78 2d 46 6f 72 77 61 72 64 73 3a 20 37 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 65 61 6c 69 6e 6b 20 53 49 50 2d 54 32 38 50 20 32 2e 36 31 2e 30 2e 37 30 0d 0a 45 78 70 69 72 65 73 3a 20 36 30 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d 0a 0a 53 eb b7 50 8b 49 11 01 51 1b f2 75 b5 2a 2f checking mac (len 656, version 301, ct 23 seq 2) tls_check_mac mac type:MD5 md 1 Mac[16]: 0a 53 eb b7 50 8b 49 11 01 51 1b f2 75 b5 2a 2f ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 656, seq = 492, nxtseq = 1148 association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 656 decrypted app data fragment: REGISTER sip:10.0.4.63:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1847283880

From: <sip:[email protected]:5061>;tag=1279884606

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 2 REGISTER

Contact: <sip:[email protected]:5062;transport=TLS>

Authorization: Digest username="test001", realm="Call-eX", nonce="1356a77b", uri="sip:10.0.4.63:5061", response="7118e9228beb271345a0fe2bc8ad2332", algorithm=MD5

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Expires: 60

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #23 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 554 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 549, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #24 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 554 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 549, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #26 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 904 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 899, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 899 Ciphertext[899]: 2a c5 1c f1 2e d6 04 fc e9 c3 2b b0 a1 ee 76 bf 48 d3 84 a0 8f 32 e4 bb 5e 66 93 20 eb c8 78 3a 68 95 45 77 20 66 5c b0 c3 2c 33 fb a9 a1 18 18 60 8d cd ee 47 8d 5d 4e 98 c7 9f 56 cb f9 63 06 fb 99 b2 28 60 bc ee 7f 58 ee bd 0a f9 7b 0c ef 06 77 b3 94 f1 dd 68 2d 96 9f 37 b3 d5 6d 13 5e 3b 47 8e ab 40 e5 da 71 27 d1 05 90 70 fb e4 4a 04 0b 35 4c 40 f2 32 89 9b ef 98 2c d3 5b 52 5d 5d 7f 2b b2 8c 45 cb 5c 29 28 e7 21 0e 76 13 18 90 18 ba 0e af 21 52 eb 3c f0 c2 1f ec 90 4e 9d 8f c6 e9 58 05 3a 17 30 0d d4 a3 32 74 15 78 f2 18 19 dc 96 8b 51 97 8f b0 ab c9 4d 31 1f 7e 82 9a d5 a8 ac 49 e6 2e 97 e6 14 43 ec 6b 58 ba ab 82 ff 7a 65 f6 3a 1d 33 bd ee be cb dc 04 46 97 92 2a 33 c7 40 78 db a8 6e 14 ba b5 20 dd 84 c8 61 cc 59 7d 47 f8 6e 35 50 c5 8a ff fa cd 0e 24 e4 6e ca f8 b5 fb 05 7f 01 22 c1 7d 8c 11 4b b2 b5 06 60 03 05 78 7a 3b 29 be 94 dc b8 c9 58 fd 28 cb 31 0e 73 63 d7 85 da a2 59 e5 a0 6c 04 fc a9 77 ee 41 11 f3 df ad ae c0 3c 06 54 3c 0d 91 94 a3 12 06 53 81 a4 c0 82 c8 6d f4 4f eb 5d 6a e3 cf fd 7b 27 1c 8b bc ea 5a 74 ae b8 17 21 5d a7 10 5c 25 cc 74 fb ad 44 bb 3c e5 0e 79 fd f9 4e 38 0f 38 b1 79 be 33 4d fe 91 ab 2b e2 0a f1 d0 ac 02 84 f7 9d 51 40 09 b6 51 17 f0 82 1c 74 75 02 27 f8 84 b0 7e 11 2d 50 02 10 a3 ce 03 73 63 c4 6d 12 2a d9 c5 a4 6f 4c 08 f4 63 f9 04 82 26 af 11 e4 14 dc 47 e4 be 99 9c eb 56 59 97 c5 70 d2 cd 0b 62 9d 15 5b 71 52 67 2f 76 2f b3 52 1e 40 80 5a 7f 00 f5 b5 c9 7a 9f 31 f3 ca 58 62 ca 31 34 93 5d 82 e7 2b 7e 9f 21 57 56 5c bc 2f 0a 09 a8 5b bf 5a c3 c8 f4 ad eb d5 87 fa c3 3e 36 82 65 43 30 99 51 43 60 44 62 7d 21 5c 0c 0a 8b 62 84 20 7c 01 af 3d 57 55 8d d0 d9 09 e5 78 03 2f 1d 73 c3 df 44 69 b9 29 72 a2 e0 44 d5 a9 44 30 3d d8 2b 64 30 c8 07 f3 11 63 50 49 b8 76 5a 97 19 42 a4 fe d7 e1 f4 09 67 20 cb 87 67 03 f3 f6 61 24 40 34 46 78 17 7a a8 53 97 35 9b ef 35 93 cd 89 f1 7b 94 c4 68 01 87 d4 f8 81 95 af c0 0d 42 d2 c6 8e e7 23 e7 96 99 29 dc 86 27 1e c6 3e 37 e1 f7 02 39 d3 22 a8 08 30 11 03 c0 91 1e 12 4d ff 1f eb 8b ad 46 11 ac e0 f6 08 b4 e1 cb f9 e4 71 1e b9 7b 1e 8e 57 7e 64 af 8a dc e4 69 58 c8 70 43 46 ae bc 6f d1 6e 83 39 61 a1 7b 47 f2 7c 76 0e 23 06 b9 3c 6c 37 fa 55 fe cc ae cc 89 f3 48 be 61 18 53 0a 5c 01 86 9b 1e f1 f4 60 fb 66 84 75 df 2e 37 9a 13 af 8f 26 87 91 38 79 36 18 8a f4 2d 0d 0a 9e 1f 6f 96 6f 14 ca f0 64 3e 02 0b b5 73 41 3d 50 38 60 ba 0d df a6 fe a1 88 ca 99 a6 22 6a 34 64 0d 43 c4 b9 7b c3 f8 5f 31 a3 35 2b 95 81 ce f5 b3 a4 af 43 9c c8 48 6a 88 ec dd 4c 98 01 89 43 53 34 69 b3 33 ad 1f d4 02 7a 95 ed c5 84 77 a0 67 f1 61 4d 32 d9 13 e5 52 aa e2 b4 74 6b 62 44 3c 89 4b 59 8b f7 28 0b 67 d8 ea d9 0a 30 67 c7 02 69 64 18 80 4a 54 06 e3 49 b4 3b 15 24 92 fd 51 f0 67 14 5c 2b ac c8 ba 3a ssl_decrypt_record: allocating 931 bytes for decrypt data (old len 704) Plaintext[899]: 49 4e 56 49 54 45 20 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 20 53 49 50 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 4c 53 20 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 31 39 39 35 33 39 37 39 38 30 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 36 30 37 34 39 31 33 32 39 0d 0a 54 6f 3a 20 3c 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 0d 0a 43 61 6c 6c 2d 49 44 3a 20 31 30 37 31 31 32 39 39 35 31 40 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 43 53 65 71 3a 20 31 20 49 4e 56 49 54 45 0d 0a 43 6f 6e 74 61 63 74 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 74 72 61 6e 73 70 6f 72 74 3d 54 4c 53 3e 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 73 64 70 0d 0a 41 6c 6c 6f 77 3a 20 49 4e 56 49 54 45 2c 20 49 4e 46 4f 2c 20 50 52 41 43 4b 2c 20 41 43 4b 2c 20 42 59 45 2c 20 43 41 4e 43 45 4c 2c 20 4f 50 54 49 4f 4e 53 2c 20 4e 4f 54 49 46 59 2c 20 52 45 47 49 53 54 45 52 2c 20 53 55 42 53 43 52 49 42 45 2c 20 52 45 46 45 52 2c 20 50 55 42 4c 49 53 48 2c 20 55 50 44 41 54 45 2c 20 4d 45 53 53 41 47 45 0d 0a 4d 61 78 2d 46 6f 72 77 61 72 64 73 3a 20 37 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 65 61 6c 69 6e 6b 20 53 49 50 2d 54 32 38 50 20 32 2e 36 31 2e 30 2e 37 30 0d 0a 53 75 70 70 6f 72 74 65 64 3a 20 72 65 70 6c 61 63 65 73 0d 0a 41 6c 6c 6f 77 2d 45 76 65 6e 74 73 3a 20 74 61 6c 6b 2c 68 6f 6c 64 2c 63 6f 6e 66 65 72 65 6e 63 65 2c 72 65 66 65 72 2c 63 68 65 63 6b 2d 73 79 6e 63 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 33 30 32 0d 0a 0d 0a 76 3d 30 0d 0a 6f 3d 2d 20 32 30 30 30 30 20 32 30 30 30 30 20 49 4e 20 49 50 34 20 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 73 3d 53 44 50 20 64 61 74 61 0d 0a 63 3d 49 4e 20 49 50 34 20 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 74 3d 30 20 30 0d 0a 6d 3d 61 75 64 69 6f 20 31 31 37 38 30 20 52 54 50 2f 41 56 50 20 30 20 38 20 31 38 20 39 20 31 30 31 0d 0a 61 3d 72 74 70 6d 61 70 3a 30 20 50 43 4d 55 2f 38 30 30 30 0d 0a 61 3d 72 74 70 6d 61 70 3a 38 20 50 43 4d 41 2f 38 30 30 30 0d 0a 61 3d 72 74 70 6d 61 70 3a 31 38 20 47 37 32 39 2f 38 30 30 30 0d 0a 61 3d 66 6d 74 70 3a 31 38 20 61 6e 6e 65 78 62 3d 6e 6f 0d 0a 61 3d 72 74 70 6d 61 70 3a 39 20 47 37 32 32 2f 38 30 30 30 0d 0a 61 3d 66 6d 74 70 3a 31 30 31 20 30 2d 31 35 0d 0a 61 3d 72 74 70 6d 61 70 3a 31 30 31 20 74 65 6c 65 70 68 6f 6e 65 2d 65 76 65 6e 74 2f 38 30 30 30 0d 0a 61 3d 70 74 69 6d 65 3a 32 30 0d 0a 61 3d 73 65 6e 64 72 65 63 76 0d 0a 10 69 30 60 1b 65 e5 22 93 1f ce 8f 46 28 01 a0 checking mac (len 883, version 301, ct 23 seq 3) tls_check_mac mac type:MD5 md 1 Mac[16]: 10 69 30 60 1b 65 e5 22 93 1f ce 8f 46 28 01 a0 ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 883, seq = 1148, nxtseq = 2031 association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 883 decrypted app data fragment: INVITE sip:[email protected]:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1995397980

From: <sip:[email protected]:5061>;tag=607491329

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 1 INVITE

Contact: <sip:[email protected]:5062;transport=TLS>

Content-Type: application/sdp

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Supported: replaces

Allow-Events: talk,hold,conference,refer,check-sync

Content-Length: 302

v=0

o=- 20000 20000 IN IP4 10.0.0.172

s=SDP data

c=IN IP4 10.0.0.172

t=0 0

m=audio 11780 RTP/AVP 0 8 18 9 101

a=rtpmap:0 PCMU/8000

a=rtpmap:8 PCMA/8000

a=rtpmap:18 G729/8000

a=fmtp:18 annexb=no

a=rtpmap:9 G722/8000

a=fmtp:101 0-15

a=rtpmap:101 telephone-event/8000

a=ptime:20

a=sendrecv

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #27 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 517 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 512, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #28 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 517 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 512, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #30 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 275 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 270, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 270 Ciphertext[270]: 13 9f d1 a9 be bb c9 d3 40 1b ab 82 25 09 19 5c a4 18 2f c4 26 f3 44 5c b2 32 50 9c 52 67 9d c9 a5 19 41 4e dd b5 05 ec 55 da ba 7f 84 b6 17 a7 87 03 12 5e f8 13 a4 c4 fa 61 f4 91 14 f7 74 e8 22 00 7f 5c 93 d5 a7 a7 15 fc 0b 00 6e 68 1d 59 f7 e0 a2 26 78 05 15 d9 5e 26 62 67 1d b2 73 82 88 4d 4f c6 59 a3 32 c0 6a 80 31 b9 af 92 1d da 29 b4 4e ad f8 bc 8a 31 f6 3a 12 05 6f 2d a3 4e a2 38 f1 83 9d 8c f8 01 a0 40 cd e2 53 af 8f 44 57 e3 9e 24 bb 72 68 ac 6d 95 41 18 c4 a7 70 d0 32 98 af 49 97 42 08 d2 ea d7 95 81 1a 6f c1 76 f3 47 a4 77 11 b6 99 9c aa 90 2d f6 03 99 8c 4b 29 a7 df c6 1e fb e6 85 09 7d 0f 42 55 2a 0e 16 bd fd b6 fa eb 06 77 bc e9 5c ed 2b ca 50 9b 10 dc 83 02 b7 30 a8 96 d9 08 f8 45 83 09 5d 75 a4 ce 42 6e 8b 5f 99 60 40 5e 78 94 df 09 6f e5 08 e7 30 92 f0 dc 92 dc 48 c8 8d ba 1e b4 53 Plaintext[270]: 41 43 4b 20 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 20 53 49 50 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 4c 53 20 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 31 39 39 35 33 39 37 39 38 30 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 36 30 37 34 39 31 33 32 39 0d 0a 54 6f 3a 20 3c 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 61 73 35 38 31 38 30 32 35 63 0d 0a 43 61 6c 6c 2d 49 44 3a 20 31 30 37 31 31 32 39 39 35 31 40 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 43 53 65 71 3a 20 31 20 41 43 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d 0a e9 24 cb 24 90 ab ce 06 e4 77 f9 01 3e 49 59 02 checking mac (len 254, version 301, ct 23 seq 4) tls_check_mac mac type:MD5 md 1 Mac[16]: e9 24 cb 24 90 ab ce 06 e4 77 f9 01 3e 49 59 02 ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 254, seq = 2031, nxtseq = 2285 association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 254 decrypted app data fragment: ACK sip:[email protected]:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1995397980

From: <sip:[email protected]:5061>;tag=607491329

To: <sip:[email protected]:5061>;tag=as5818025c

Call-ID: [email protected]

CSeq: 1 ACK

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #33 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 1070 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 1065, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 1065 Ciphertext[1065]: af ec ba 53 3b a6 5c 51 6d b5 35 6b 35 14 cc a2 c9 04 ab 47 2c 34 73 d5 eb 71 d6 56 bb 40 df ca 72 26 fa 13 ce cd 33 e7 b2 a0 81 ad bc df 88 43 82 06 5a 05 d7 1d 01 cc 5c bc de 42 43 2c 66 53 fd b1 69 36 db d4 f6 c8 6d fe 28 fb d6 a2 6e 4a 92 c1 f7 28 f0 4a 73 5a 26 85 51 af 1c 94 0a 1f 1c b1 e5 98 c0 d8 f7 79 0c 4e 05 5b 39 a9 08 b4 ed 22 94 47 70 d7 ea 8c 22 c9 92 26 f5 af b6 1f db 1a 6f 90 28 1a db 97 43 fb de f5 df 66 02 5d d0 ae 99 e2 32 8c 60 57 b9 41 f3 56 f8 db cc 17 cb 48 3d cc 18 40 c8 11 57 8d 71 ca 21 08 ef eb da 7b ea 32 a2 8b c3 bd be 2b 79 f2 55 4a 34 e9 ee 8a ca 95 32 32 96 d6 c9 4d 5d 88 cb 59 f7 95 68 5c fa 0c f1 1d fb 95 46 8c 7e b3 43 9e 25 27 c0 7b 4e 6b 82 96 07 7c 76 b5 a2 49 41 66 f6 e0 04 ca 88 6b 36 78 15 89 cb 00 14 a3 ec e1 b6 80 89 9a dd 65 37 9f e0 41 b9 6c 00 e5 76 65 d1 ae 78 9b dd 36 93 7a c5 6f ad 96 f9 fa 54 98 3d 4a a0 57 b7 d1 93 28 b6 b1 50 ea 67 87 56 70 f0 9f 36 c2 44 fe 94 e8 b4 69 a9 70 f0 14 6f 03 8a 9a 37 29 24 17 04 a6 83 bf ee 37 89 ca 64 f3 b6 ea 8d aa 4e 28 ba d4 7b 98 0f 95 1b d8 3c ae aa 7c b4 20 b4 b8 96 c1 a8 84 c7 85 2b 48 6b e2 3a fa d6 3b e0 7d ef f7 e9 79 ca 7c 31 c6 09 5a db 80 01 8c da 6c 10 cd 40 e6 8c 18 fe d1 42 8a 91 7c c7 8c 70 68 5b f9 2f e9 81 5a 75 78 c8 14 0a ed be a4 16 da 68 8b 52 1b 37 83 d1 ba 28 f5 82 f7 ee 01 d5 41 2e a6 15 ae 67 cf 17 ca ec 78 73 c9 3f 7e 3c 25 bc 60 1a 28 0e e1 9c 3d 53 05 aa b3 7e 17 c1 f9 c5 f9 62 cf bc bd 9a e8 81 21 10 e2 2e 22 80 67 da bb 71 10 05 c0 a4 cc 3b 52 86 6b 85 40 d7 44 9f 1c eb a2 aa 03 b6 98 44 6b 42 29 fe 85 9c 77 22 06 ff 81 1d 5a b8 ac 0f 9a 65 39 1f 01 02 54 0f f1 eb 83 a1 d6 47 d8 77 59 a6 ff 38 ec 4b 55 87 58 0f ac d9 af 33 cf 0a a0 d7 07 68 2d 69 e1 84 96 41 ed 38 34 a9 4d 20 32 d3 cd 39 09 7d bd 67 87 c4 4a d7 d9 79 0f f2 22 ba 06 dd e3 00 fa f7 9c cd 3a 31 36 5d c0 e2 e4 ce d2 5d 10 f3 08 a9 8b 11 78 ee a7 92 85 27 e3 c8 db 00 f3 b6 a7 9c 07 d4 cd b0 ef 31 19 bc 50 32 18 fe d6 9b 4e 9d e3 c0 90 15 ba 30 05 8c 93 8f 38 01 96 a8 ca aa 3d d0 5b c0 91 69 24 c8 9c 58 8c 47 b5 f6 4a af d2 f4 bd b1 b1 1f 59 52 7b e0 bd e4 a0 75 a6 15 6f 3c 8a b3 2b 8f 52 38 f1 be 0c 35 3d 92 29 93 4d 69 be 7b e8 dc c8 1e b4 e4 b8 23 dd 2c a3 85 99 16 d1 4c be 88 fe 4c 95 db 92 00 ae 57 7a f6 49 b2 cb 5f f4 0d ca 35 10 d5 71 dc ca 24 98 7a 01 8f 6f 19 54 54 34 e1 b2 14 d7 6a 7b 90 cd 1d b2 9a fd 48 bd 36 93 53 56 9b 2a 38 ea 37 52 ab 82 87 17 15 4a 52 eb 69 80 ae 7c 30 68 c8 20 c7 76 43 a6 e1 c9 bb 6e 38 11 23 63 fb 6b 22 24 3f 63 97 31 d2 fe a4 07 4d 68 d8 96 d7 38 60 f4 65 b0 c6 5c 91 23 22 04 39 d8 f7 dc 3f a0 28 65 ce d8 f7 41 90 02 2d 99 5c 6f 29 71 cd fb a9 d5 73 13 c8 32 6f 8f dc 74 ec e3 ff 1c 8f 70 f5 3a 86 4d 9f bd 6e 05 9e da 52 0b b0 7d bc 96 5f 29 2c 7f 04 ad 61 2e 17 59 5f ff 7f fc 3f 42 94 49 f7 d5 71 84 10 46 43 ed 8a e9 3c e9 d7 a9 61 67 97 e5 0a 3e b6 02 44 3f 7f 1b 91 5a af 1a e1 3f 16 08 51 7c e2 70 48 67 6d f5 4d d5 2d 60 07 2c bd 75 ff 06 e3 f0 df bd 22 0d 48 14 fb d5 a3 c3 d2 9b 05 f8 db 2a f7 51 48 ad 2c d3 a9 aa 2a 06 16 3c d6 0a 76 02 93 f0 57 05 6f eb 4c ce 3e dc 11 50 c3 ea f1 e2 e4 35 94 29 97 22 06 e8 aa 82 27 43 de e2 4c 9a 41 8e e5 23 cd 31 e6 cf b9 a1 dc 30 92 d9 95 4a b6 e8 05 fd 0a 4a c2 43 62 c6 b6 bf 2c f1 df ssl_decrypt_record: allocating 1097 bytes for decrypt data (old len 931) Plaintext[1065]: 49 4e 56 49 54 45 20 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 20 53 49 50 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 4c 53 20 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 31 38 31 31 34 35 38 35 35 38 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 36 30 37 34 39 31 33 32 39 0d 0a 54 6f 3a 20 3c 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 0d 0a 43 61 6c 6c 2d 49 44 3a 20 31 30 37 31 31 32 39 39 35 31 40 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 43 53 65 71 3a 20 32 20 49 4e 56 49 54 45 0d 0a 43 6f 6e 74 61 63 74 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 74 72 61 6e 73 70 6f 72 74 3d 54 4c 53 3e 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 44 69 67 65 73 74 20 75 73 65 72 6e 61 6d 65 3d 22 74 65 73 74 30 30 31 22 2c 20 72 65 61 6c 6d 3d 22 43 61 6c 6c 2d 65 58 22 2c 20 6e 6f 6e 63 65 3d 22 35 33 61 34 61 36 34 39 22 2c 20 75 72 69 3d 22 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 22 2c 20 72 65 73 70 6f 6e 73 65 3d 22 34 35 38 61 31 32 38 63 31 30 30 63 32 61 31 34 36 37 65 37 61 36 35 63 34 66 30 62 66 63 35 62 22 2c 20 61 6c 67 6f 72 69 74 68 6d 3d 4d 44 35 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 73 64 70 0d 0a 41 6c 6c 6f 77 3a 20 49 4e 56 49 54 45 2c 20 49 4e 46 4f 2c 20 50 52 41 43 4b 2c 20 41 43 4b 2c 20 42 59 45 2c 20 43 41 4e 43 45 4c 2c 20 4f 50 54 49 4f 4e 53 2c 20 4e 4f 54 49 46 59 2c 20 52 45 47 49 53 54 45 52 2c 20 53 55 42 53 43 52 49 42 45 2c 20 52 45 46 45 52 2c 20 50 55 42 4c 49 53 48 2c 20 55 50 44 41 54 45 2c 20 4d 45 53 53 41 47 45 0d 0a 4d 61 78 2d 46 6f 72 77 61 72 64 73 3a 20 37 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 65 61 6c 69 6e 6b 20 53 49 50 2d 54 32 38 50 20 32 2e 36 31 2e 30 2e 37 30 0d 0a 53 75 70 70 6f 72 74 65 64 3a 20 72 65 70 6c 61 63 65 73 0d 0a 41 6c 6c 6f 77 2d 45 76 65 6e 74 73 3a 20 74 61 6c 6b 2c 68 6f 6c 64 2c 63 6f 6e 66 65 72 65 6e 63 65 2c 72 65 66 65 72 2c 63 68 65 63 6b 2d 73 79 6e 63 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 33 30 32 0d 0a 0d 0a 76 3d 30 0d 0a 6f 3d 2d 20 32 30 30 30 30 20 32 30 30 30 30 20 49 4e 20 49 50 34 20 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 73 3d 53 44 50 20 64 61 74 61 0d 0a 63 3d 49 4e 20 49 50 34 20 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 74 3d 30 20 30 0d 0a 6d 3d 61 75 64 69 6f 20 31 31 37 38 30 20 52 54 50 2f 41 56 50 20 30 20 38 20 31 38 20 39 20 31 30 31 0d 0a 61 3d 72 74 70 6d 61 70 3a 30 20 50 43 4d 55 2f 38 30 30 30 0d 0a 61 3d 72 74 70 6d 61 70 3a 38 20 50 43 4d 41 2f 38 30 30 30 0d 0a 61 3d 72 74 70 6d 61 70 3a 31 38 20 47 37 32 39 2f 38 30 30 30 0d 0a 61 3d 66 6d 74 70 3a 31 38 20 61 6e 6e 65 78 62 3d 6e 6f 0d 0a 61 3d 72 74 70 6d 61 70 3a 39 20 47 37 32 32 2f 38 30 30 30 0d 0a 61 3d 66 6d 74 70 3a 31 30 31 20 30 2d 31 35 0d 0a 61 3d 72 74 70 6d 61 70 3a 31 30 31 20 74 65 6c 65 70 68 6f 6e 65 2d 65 76 65 6e 74 2f 38 30 30 30 0d 0a 61 3d 70 74 69 6d 65 3a 32 30 0d 0a 61 3d 73 65 6e 64 72 65 63 76 0d 0a a9 eb bd 38 80 79 97 4f a3 d5 9c 57 e3 df 03 9a checking mac (len 1049, version 301, ct 23 seq 5) tls_check_mac mac type:MD5 md 1 Mac[16]: a9 eb bd 38 80 79 97 4f a3 d5 9c 57 e3 df 03 9a ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 1049, seq = 2285, nxtseq = 3334 association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 1049 decrypted app data fragment: INVITE sip:[email protected]:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1811458558

From: <sip:[email protected]:5061>;tag=607491329

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 2 INVITE

Contact: <sip:[email protected]:5062;transport=TLS>

Authorization: Digest username="test001", realm="Call-eX", nonce="53a4a649", uri="sip:[email protected]:5061", response="458a128c100c2a1467e7a65c4f0bfc5b", algorithm=MD5

Content-Type: application/sdp

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Supported: replaces

Allow-Events: talk,hold,conference,refer,check-sync

Content-Length: 302

v=0

o=- 20000 20000 IN IP4 10.0.0.172

s=SDP data

c=IN IP4 10.0.0.172

t=0 0

m=audio 11780 RTP/AVP 0 8 18 9 101

a=rtpmap:0 PCMU/8000

a=rtpmap:8 PCMA/8000

a=rtpmap:18 G729/8000

a=fmtp:18 annexb=no

a=rtpmap:9 G722/8000

a=fmtp:101 0-15

a=rtpmap:101 telephone-event/8000

a=ptime:20

a=sendrecv

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #36 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 469 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 464, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #37 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 469 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 464, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #39 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 485 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 480, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #40 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 485 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 480, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #42 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 675 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 670, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 670 Ciphertext[670]: 5f f9 62 c0 eb c7 e4 26 bc 27 bf 3b c4 7d 72 97 ab 31 07 46 56 fb 67 db 5e 1d 90 1c ab 70 b1 5a ba 79 8b 74 02 39 69 81 87 f5 96 e9 3b 18 1c 1c ca cd db fc ea 7d 0d c2 e3 08 23 2c 17 0b b2 34 02 95 d0 f0 38 4e 54 f6 2d 9c 8e c5 f7 78 e7 51 ca 44 24 ef 68 4a 34 8d b2 3b 26 d5 b2 72 71 9c 40 a0 2b 17 28 1a bd 5c 9f 91 d8 03 4c 73 d7 eb 75 1e 52 14 bc af 6b 45 67 41 d4 a5 df 54 67 de f2 8f 86 6f dc b5 50 8a c9 b2 aa 8d 88 b5 79 21 57 91 a9 58 1d 29 8e 2a a1 92 34 10 b4 a8 b3 7e b6 89 bf 06 69 0d b1 1e ec 9a e0 00 a0 a4 fd 25 a1 a5 48 8b 7b 03 a6 5f 5a f3 40 52 e5 04 82 0f 5d e3 61 af 45 17 95 5b 03 0d 31 29 1d 42 7e 41 33 ed 5a 34 68 c0 1d 02 c1 80 b5 73 04 1c 71 d0 a7 c3 ab 8b a9 c4 56 67 2b 6c 25 6c dc 2c 23 fa 8d 69 17 e8 75 fe 0f c0 a0 8c fb a2 88 de d8 1f 63 2a 7f 73 87 5a 14 ab 5f cd f0 53 1c cd 35 fb d1 c9 1d 15 59 26 b1 7d c3 ce 8d ef a5 5b 7e f2 1b e8 77 31 58 41 c0 37 e8 37 b2 cc ac d3 92 e6 ec 18 df df b0 53 bc 2d d3 a2 2c 0f c1 25 32 25 ff 83 a6 f5 54 0a ca b7 9f 0e fe 2d 68 fa be 33 b9 37 09 0c 40 00 c2 b3 9d f3 19 c9 3b cd 7c 17 0b af c8 69 e0 eb 5f 9e ad e7 31 4b 1c d7 24 31 64 22 20 08 5c 83 f0 aa f1 a1 94 25 03 9c 29 20 9d 1e cd c4 ea 85 38 a6 f8 91 e8 3e c6 60 fa 7c 04 88 6c d2 d4 db 65 ed 8c bc c2 d3 e4 db 8a ba c6 b2 a8 3b 74 2c 03 d5 f5 f5 c6 a7 04 de ef a7 82 41 45 53 ec 4f 73 55 e1 ab 9e aa c6 86 68 8f 1a 0f 6e 81 09 f1 41 d4 f1 54 39 93 63 76 2f b8 6f ae 6f d0 79 53 8c 83 f6 0d 66 b0 ef 25 b0 3d f3 67 46 ed 3e 49 36 dc 05 e8 05 7c 08 6a 04 6d e0 74 72 7c 54 15 d5 cf 8c a4 25 4b 6e 24 c9 13 15 c2 3e 73 c3 39 51 c0 58 35 8a 28 8f c8 68 ce 35 9d 36 20 53 1b ed f9 1d ae 20 32 f8 ee 70 51 b2 74 db ac 0c f0 ae db 64 9d cd 67 e9 56 f4 97 65 38 4d 30 30 31 67 9f 96 d9 d0 92 2a 2d 25 03 a3 87 dc 74 80 2d 7d 3f 98 f8 6e c8 e4 3f 01 de 8a ce 84 8a 45 c6 77 53 04 92 bc 7b 84 08 82 c2 2a ab 83 cf f1 a3 67 87 54 2f 2d 50 37 fb ad 46 20 6f 60 ad 2c b9 2a 97 a9 5a 61 8f 7b ff 37 76 f3 1f 7c ce 10 e6 91 52 9e 28 73 b4 3d 49 4f f9 2f 49 af 4d 34 40 e6 c6 64 d5 3f ac b3 69 Plaintext[670]: 52 45 47 49 53 54 45 52 20 73 69 70 3a 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 20 53 49 50 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 4c 53 20 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 38 34 36 38 31 39 33 34 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 31 32 37 39 38 38 34 36 30 36 0d 0a 54 6f 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 0d 0a 43 61 6c 6c 2d 49 44 3a 20 38 30 30 35 33 37 33 39 33 40 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 43 53 65 71 3a 20 33 20 52 45 47 49 53 54 45 52 0d 0a 43 6f 6e 74 61 63 74 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 74 72 61 6e 73 70 6f 72 74 3d 54 4c 53 3e 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 44 69 67 65 73 74 20 75 73 65 72 6e 61 6d 65 3d 22 74 65 73 74 30 30 31 22 2c 20 72 65 61 6c 6d 3d 22 43 61 6c 6c 2d 65 58 22 2c 20 6e 6f 6e 63 65 3d 22 31 33 35 36 61 37 37 62 22 2c 20 75 72 69 3d 22 73 69 70 3a 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 22 2c 20 72 65 73 70 6f 6e 73 65 3d 22 37 31 31 38 65 39 32 32 38 62 65 62 32 37 31 33 34 35 61 30 66 65 32 62 63 38 61 64 32 33 33 32 22 2c 20 61 6c 67 6f 72 69 74 68 6d 3d 4d 44 35 0d 0a 41 6c 6c 6f 77 3a 20 49 4e 56 49 54 45 2c 20 49 4e 46 4f 2c 20 50 52 41 43 4b 2c 20 41 43 4b 2c 20 42 59 45 2c 20 43 41 4e 43 45 4c 2c 20 4f 50 54 49 4f 4e 53 2c 20 4e 4f 54 49 46 59 2c 20 52 45 47 49 53 54 45 52 2c 20 53 55 42 53 43 52 49 42 45 2c 20 52 45 46 45 52 2c 20 50 55 42 4c 49 53 48 2c 20 55 50 44 41 54 45 2c 20 4d 45 53 53 41 47 45 0d 0a 4d 61 78 2d 46 6f 72 77 61 72 64 73 3a 20 37 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 65 61 6c 69 6e 6b 20 53 49 50 2d 54 32 38 50 20 32 2e 36 31 2e 30 2e 37 30 0d 0a 45 78 70 69 72 65 73 3a 20 36 30 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d 0a 25 cd a4 2f 59 43 78 84 74 8c 2f 76 2f 93 74 85 checking mac (len 654, version 301, ct 23 seq 6) tls_check_mac mac type:MD5 md 1 Mac[16]: 25 cd a4 2f 59 43 78 84 74 8c 2f 76 2f 93 74 85 ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 654, seq = 3334, nxtseq = 3988 association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 654 decrypted app data fragment: REGISTER sip:10.0.4.63:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK84681934

From: <sip:[email protected]:5061>;tag=1279884606

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 3 REGISTER

Contact: <sip:[email protected]:5062;transport=TLS>

Authorization: Digest username="test001", realm="Call-eX", nonce="1356a77b", uri="sip:10.0.4.63:5061", response="7118e9228beb271345a0fe2bc8ad2332", algorithm=MD5

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Expires: 60

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #43 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 534 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 529, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #44 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 534 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 529, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #46 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 676 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 671, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 671 Ciphertext[671]: 83 9d d3 77 35 8e 56 17 f6 7a 30 e7 fb d9 34 23 5b 71 9d 28 aa d8 ed 8f ab a9 13 e4 37 e9 f4 03 fb a1 72 11 94 36 d3 64 7d 51 42 a7 16 1d 2e 83 4e fd 86 b6 5f de f2 7c 56 fd 0d 8a 41 36 10 d5 fd 32 39 8a 81 bc 18 d9 57 13 57 15 78 68 68 19 9b 82 45 1d 2f 1e f7 1e 70 33 5b 4e ea 28 40 68 3b af 53 3d f6 cc 47 97 c0 3c 63 ea e4 55 6b d3 a6 15 f4 46 bb e9 7d 53 0d 19 ea ee 09 1c e7 74 35 75 6c 0e f8 f8 d6 a4 01 81 60 cf 1f b3 f9 bc 27 f9 12 c7 3a fc 04 dd 98 43 e3 2d 56 c9 27 12 75 c9 0f f8 2e 48 c6 a7 8d 0d 7a 79 c3 8a 4d 3c 8c 06 7d 96 76 2b 3f e1 f1 07 60 fc a9 ba e7 d1 ea f1 43 a6 4a a0 cd e8 b0 0c f0 a4 9d 2e 3b 3c 19 52 da 42 c1 c2 a7 4c 32 4a 58 b7 aa 37 cd 9f e3 80 ca fe 9a 9e 1b 55 70 d3 9e 7f 76 8c ab 63 44 8b 1a 9b fc 02 6f df 62 b9 47 1b b9 74 16 15 a4 14 79 4f 13 ef 2d 3f 8c 27 24 d9 60 fd 8c 46 d5 ad a3 a5 a3 d1 dd 3f 16 02 8f 3d de 8d 63 7a 63 66 ae 2e 01 99 63 ca 18 1b 54 05 5d 9e 0d 67 67 60 f5 d6 4e 58 1b 5a 0a 3e ad 53 4f b7 30 59 4a 36 2f 66 20 c3 f0 bf bf 6b 8e 2d 90 39 55 fd 7c 7a 96 7a 8b 7c 53 d3 bb dc ee ba 55 1b cf 69 8a df 1a b9 56 b8 c4 b0 26 40 1a 09 6a c4 b5 5b c4 ed 2e d8 d4 0c 09 6a dd 1e d7 6f 29 63 b9 19 9c 0d 5e f6 1e 91 43 0d a6 c8 ba 5b 32 a3 7c df 78 c3 9b 2a d9 77 a1 2f aa 01 37 14 5d 96 da 4c 7e 73 1a c5 30 f6 f5 5a 0b 09 0f a9 ae fd 8a e2 75 c2 7b b4 c5 78 3c 22 60 22 cb 44 62 28 80 d8 15 17 6b e4 f8 02 76 9a a7 4f b6 3b 94 20 b1 18 44 9f e4 0f 3c 8a c5 1a 06 a5 4d e6 58 49 ee d3 8d 24 d6 f7 65 55 27 67 89 4b e5 70 3d d9 75 3a f7 eb cb 07 cb 6c c7 41 7e 18 24 42 3b 8a 78 45 79 b6 6f ee 14 0c 03 85 b3 c1 72 1b f0 85 af 01 61 27 54 1b e7 08 37 0d c6 5d 97 ed 48 05 2c a1 ff 50 ef 0e f2 28 86 2d 3b b1 1c cf 35 1f b2 9f 7b d1 e8 85 40 aa d1 c0 b5 fe 6e 8d 91 ae d6 e3 d1 70 ce 3c 19 80 05 09 61 8d 1f 51 70 2c 43 bb 81 ae a3 29 e8 aa 04 16 81 49 22 86 5b 32 1d 5e 9c 7b 50 d8 ea 36 96 09 e9 95 05 b8 aa f3 ea 3a 3b 4a 49 f5 73 47 9a 7f 38 18 00 c7 06 24 3a cb 83 56 97 d0 0c f0 9c 38 09 5e f3 96 c0 30 88 f0 c4 8b 39 34 6d f8 f3 c6 4e c0 22 35 56 ba 11 Plaintext[671]: 52 45 47 49 53 54 45 52 20 73 69 70 3a 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 20 53 49 50 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 4c 53 20 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 39 36 32 35 34 33 37 31 34 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 31 32 37 39 38 38 34 36 30 36 0d 0a 54 6f 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 0d 0a 43 61 6c 6c 2d 49 44 3a 20 38 30 30 35 33 37 33 39 33 40 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 43 53 65 71 3a 20 34 20 52 45 47 49 53 54 45 52 0d 0a 43 6f 6e 74 61 63 74 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 74 72 61 6e 73 70 6f 72 74 3d 54 4c 53 3e 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 44 69 67 65 73 74 20 75 73 65 72 6e 61 6d 65 3d 22 74 65 73 74 30 30 31 22 2c 20 72 65 61 6c 6d 3d 22 43 61 6c 6c 2d 65 58 22 2c 20 6e 6f 6e 63 65 3d 22 30 34 61 38 62 32 33 33 22 2c 20 75 72 69 3d 22 73 69 70 3a 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 22 2c 20 72 65 73 70 6f 6e 73 65 3d 22 34 64 39 66 36 30 30 31 36 64 32 37 63 38 38 31 64 30 62 34 32 35 34 63 35 34 63 61 38 64 38 30 22 2c 20 61 6c 67 6f 72 69 74 68 6d 3d 4d 44 35 0d 0a 41 6c 6c 6f 77 3a 20 49 4e 56 49 54 45 2c 20 49 4e 46 4f 2c 20 50 52 41 43 4b 2c 20 41 43 4b 2c 20 42 59 45 2c 20 43 41 4e 43 45 4c 2c 20 4f 50 54 49 4f 4e 53 2c 20 4e 4f 54 49 46 59 2c 20 52 45 47 49 53 54 45 52 2c 20 53 55 42 53 43 52 49 42 45 2c 20 52 45 46 45 52 2c 20 50 55 42 4c 49 53 48 2c 20 55 50 44 41 54 45 2c 20 4d 45 53 53 41 47 45 0d 0a 4d 61 78 2d 46 6f 72 77 61 72 64 73 3a 20 37 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 65 61 6c 69 6e 6b 20 53 49 50 2d 54 32 38 50 20 32 2e 36 31 2e 30 2e 37 30 0d 0a 45 78 70 69 72 65 73 3a 20 36 30 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d 0a 9d dd fb ba 35 9a b3 b4 32 82 63 85 9d 8a 96 11 checking mac (len 655, version 301, ct 23 seq 7) tls_check_mac mac type:MD5 md 1 Mac[16]: 9d dd fb ba 35 9a b3 b4 32 82 63 85 9d 8a 96 11 ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 655, seq = 3988, nxtseq = 4643 association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 655 decrypted app data fragment: REGISTER sip:10.0.4.63:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK962543714

From: <sip:[email protected]:5061>;tag=1279884606

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 4 REGISTER

Contact: <sip:[email protected]:5062;transport=TLS>

Authorization: Digest username="test001", realm="Call-eX", nonce="04a8b233", uri="sip:10.0.4.63:5061", response="4d9f60016d27c881d0b4254c54ca8d80", algorithm=MD5

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Expires: 60

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #47 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 553 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 548, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #48 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 553 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 548, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #50 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 784 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 779, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #51 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 784 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 779, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #55 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 401 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 396, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 396 Ciphertext[396]: d1 df 6e 63 67 3d 5e b1 2b ec b0 f8 50 af eb 6d 6f 90 59 18 2f b3 e7 70 b8 1f 67 db 5b 87 11 c7 d9 c1 28 54 2f 25 c6 a5 d0 ef b1 ac bf 71 f7 b5 ed bc 65 d1 58 05 1e 2b bc ac e7 09 ff 09 78 c0 17 9d b4 32 c8 4b c7 f6 f7 94 40 fe d6 af 54 6c ca 4d b5 ec 4d 44 85 9d 1a 3a 0e 0d a5 56 99 5d 7e 21 86 ed 12 a1 33 47 a1 b8 83 29 8d e9 8f 3a 01 10 62 d1 99 77 65 b6 d7 8a e9 e6 b9 a8 ef 3e db 88 6b 91 91 87 8f ce ba 4e df 1b ad 18 4f d4 65 b3 91 86 22 2f 5f 27 83 68 07 2e 42 ff 7c 70 a0 7f 9a 2d 90 2f 07 3c b9 b0 54 66 d1 53 d7 c7 18 48 8d 48 b2 91 2f 2d 2e 51 ac 04 2b ef e1 ac 98 66 3a 49 ea 67 a6 f9 d8 e3 8f 70 fe 50 1d b9 1c 1f 84 8e bb 60 ac 40 8e b5 bb 50 36 12 bd 86 99 06 a0 ca e6 29 93 4e 33 03 0d f5 27 a6 6e 50 49 b6 14 75 e5 8c ee f4 ee 65 5b 94 56 2c 65 c8 ec 5e aa e6 b3 96 56 db a5 81 25 57 d7 91 be 37 90 e2 c3 24 18 e8 91 af da 52 bd cd f4 02 6e bd 78 d9 68 07 fc 69 99 f8 a3 ba 36 54 59 32 ce 9e 28 4f fd b6 cc e9 cd f2 9a ef 55 01 2d a3 b4 21 81 3b 33 ca db d9 45 4d 53 d2 05 a0 d0 d8 0e ee 1b 8a a1 08 4a 42 64 3a f5 84 85 9a bf 61 de 6c 60 f4 67 36 b7 a8 fb d4 50 27 4f 0b d8 46 b4 cf 0e 4a 7e 00 6e 5f 2b 48 28 29 bd 32 62 ce f0 50 a5 ed b1 74 20 1f 1c c2 59 19 7a 7e Plaintext[396]: 41 43 4b 20 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3b 74 72 61 6e 73 70 6f 72 74 3d 54 4c 53 20 53 49 50 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 4c 53 20 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 31 39 36 37 33 37 39 36 39 35 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 36 30 37 34 39 31 33 32 39 0d 0a 54 6f 3a 20 3c 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 61 73 33 34 33 35 39 36 37 62 0d 0a 43 61 6c 6c 2d 49 44 3a 20 31 30 37 31 31 32 39 39 35 31 40 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 43 53 65 71 3a 20 32 20 41 43 4b 0d 0a 43 6f 6e 74 61 63 74 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 74 72 61 6e 73 70 6f 72 74 3d 54 4c 53 3e 0d 0a 4d 61 78 2d 46 6f 72 77 61 72 64 73 3a 20 37 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 65 61 6c 69 6e 6b 20 53 49 50 2d 54 32 38 50 20 32 2e 36 31 2e 30 2e 37 30 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d 0a 9e cd b7 a4 64 c7 80 6b c9 d1 69 66 d0 2e d1 53 checking mac (len 380, version 301, ct 23 seq 8) tls_check_mac mac type:MD5 md 1 Mac[16]: 9e cd b7 a4 64 c7 80 6b c9 d1 69 66 d0 2e d1 53 ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 380, seq = 4643, nxtseq = 5023 association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 380 decrypted app data fragment: ACK sip:[email protected]:5061;transport=TLS SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1967379695

From: <sip:[email protected]:5061>;tag=607491329

To: <sip:[email protected]:5061>;tag=as3435967b

Call-ID: [email protected]

CSeq: 2 ACK

Contact: <sip:[email protected]:5062;transport=TLS>

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #610 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 583 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 578, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #611 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 583 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 578, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #613 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 301 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 296, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 296 Ciphertext[296]: 4d 95 c3 9d ee 7d 71 1a 38 3f d9 4c b0 82 68 5d c7 b6 d9 68 c3 dc c0 c8 33 ec e5 85 22 90 09 d8 68 cb f9 de cf a7 06 30 6d 7f 84 25 dc fb 25 97 d3 a4 ec 6a a3 a2 47 07 6c b7 1f 7e 01 c3 5a 1c da e7 6d a0 09 5f 70 95 fc d5 a7 1c 23 1e 58 fd 78 84 85 00 ab d7 98 49 9b 72 d5 4b ea bb 05 77 e8 a1 64 03 3a 16 a4 95 6a 13 83 98 c6 65 a6 14 e2 c8 33 d9 05 2b 6e 62 8f 39 7a 51 9b 86 83 b9 d9 65 2c a0 b3 c2 8a 56 05 a1 6e 6e d0 f6 9f 11 dc 7c 98 c6 c7 30 4e 8b 95 6f 88 4c 99 c4 98 89 b8 d9 d3 59 81 e9 a1 ba 6f b3 37 20 9f 49 74 b6 a6 7a 74 13 49 11 92 ba b2 97 38 4b d6 6d 60 d6 8c 67 6a 15 a8 55 48 33 f7 2f 3f 22 d7 6f 95 54 da 3f 24 3c c8 57 0e b0 ca f5 51 62 3e 59 2c 4e a3 62 a7 1d c5 07 38 ce fa f7 00 45 4f bf b2 a9 fd b3 51 5d 74 8a ef 85 5f 60 c8 95 88 1b 11 e5 9b 93 cf 68 47 18 f9 f1 db a1 05 22 84 1e c6 2b aa 9f ff 75 ce 80 ef 74 3b e5 3e dc 74 e4 a3 bb a3 15 e3 ba 9f 69 87 0d Plaintext[296]: 53 49 50 2f 32 2e 30 20 32 30 30 20 4f 4b 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 4c 53 20 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 34 65 38 31 30 63 38 33 3b 72 70 6f 72 74 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 61 73 33 34 33 35 39 36 37 62 0d 0a 54 6f 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 36 30 37 34 39 31 33 32 39 0d 0a 43 61 6c 6c 2d 49 44 3a 20 31 30 37 31 31 32 39 39 35 31 40 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 43 53 65 71 3a 20 31 30 32 20 42 59 45 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 65 61 6c 69 6e 6b 20 53 49 50 2d 54 32 38 50 20 32 2e 36 31 2e 30 2e 37 30 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d 0a 80 2f f9 7a 89 bd b3 21 44 82 c5 17 55 fe 0d ac checking mac (len 280, version 301, ct 23 seq 9) tls_check_mac mac type:MD5 md 1 Mac[16]: 80 2f f9 7a 89 bd b3 21 44 82 c5 17 55 fe 0d ac ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 280, seq = 5023, nxtseq = 5303 association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 280 decrypted app data fragment: SIP/2.0 200 OK

Via: SIP/2.0/TLS 10.0.4.63:5061;branch=z9hG4bK4e810c83;rport

From: <sip:[email protected]:5061>;tag=as3435967b

To: <sip:[email protected]:5061>;tag=607491329

Call-ID: [email protected]

CSeq: 102 BYE

User-Agent: Yealink SIP-T28P 2.61.0.70

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #5 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 98 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 1 offset 5 length 89 bytes, remaining 98

dissect_ssl enter frame #8 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1448 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 record: offset = 79, reported_length_remaining = 1369 need_desegmentation: offset = 79, reported_length_remaining = 1369

dissect_ssl enter frame #9 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1448 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 record: offset = 79, reported_length_remaining = 1369 need_desegmentation: offset = 79, reported_length_remaining = 1369

dissect_ssl enter frame #10 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 2125 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 11 offset 5 length 2107 bytes, remaining 2116 record: offset = 2116, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 14 offset 2121 length 0 bytes, remaining 2125

dissect_ssl enter frame #14 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 182 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139 record: offset = 139, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec record: offset = 145, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16

dissect_ssl enter frame #15 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec record: offset = 6, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16

dissect_ssl enter frame #16 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec record: offset = 6, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 156 offset 11 length 3052702 bytes, remaining 43

dissect_ssl enter frame #18 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 513 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 492 decrypted app data fragment: REGISTER sip:10.0.4.63:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK633221630

From: <sip:[email protected]:5061>;tag=1279884606

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 1 REGISTER

Contact: <sip:[email protected]:5062;transport=TLS>

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Expires: 60

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #19 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 523 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #20 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 523 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #22 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 677 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 656 decrypted app data fragment: REGISTER sip:10.0.4.63:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1847283880

From: <sip:[email protected]:5061>;tag=1279884606

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 2 REGISTER

Contact: <sip:[email protected]:5062;transport=TLS>

Authorization: Digest username="test001", realm="Call-eX", nonce="1356a77b", uri="sip:10.0.4.63:5061", response="7118e9228beb271345a0fe2bc8ad2332", algorithm=MD5

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Expires: 60

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #23 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 554 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #24 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 554 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #26 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 904 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 883 decrypted app data fragment: INVITE sip:[email protected]:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1995397980

From: <sip:[email protected]:5061>;tag=607491329

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 1 INVITE

Contact: <sip:[email protected]:5062;transport=TLS>

Content-Type: application/sdp

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Supported: replaces

Allow-Events: talk,hold,conference,refer,check-sync

Content-Length: 302

v=0

o=- 20000 20000 IN IP4 10.0.0.172

s=SDP data

c=IN IP4 10.0.0.172

t=0 0

m=audio 11780 RTP/AVP 0 8 18 9 101

a=rtpmap:0 PCMU/8000

a=rtpmap:8 PCMA/8000

a=rtpmap:18 G729/8000

a=fmtp:18 annexb=no

a=rtpmap:9 G722/8000

a=fmtp:101 0-15

a=rtpmap:101 telephone-event/8000

a=ptime:20

a=sendrecv

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #27 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 517 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #28 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 517 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #30 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 275 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 254 decrypted app data fragment: ACK sip:[email protected]:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1995397980

From: <sip:[email protected]:5061>;tag=607491329

To: <sip:[email protected]:5061>;tag=as5818025c

Call-ID: [email protected]

CSeq: 1 ACK

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #33 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1070 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 1049 decrypted app data fragment: INVITE sip:[email protected]:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1811458558

From: <sip:[email protected]:5061>;tag=607491329

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 2 INVITE

Contact: <sip:[email protected]:5062;transport=TLS>

Authorization: Digest username="test001", realm="Call-eX", nonce="53a4a649", uri="sip:[email protected]:5061", response="458a128c100c2a1467e7a65c4f0bfc5b", algorithm=MD5

Content-Type: application/sdp

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Supported: replaces

Allow-Events: talk,hold,conference,refer,check-sync

Content-Length: 302

v=0

o=- 20000 20000 IN IP4 10.0.0.172

s=SDP data

c=IN IP4 10.0.0.172

t=0 0

m=audio 11780 RTP/AVP 0 8 18 9 101

a=rtpmap:0 PCMU/8000

a=rtpmap:8 PCMA/8000

a=rtpmap:18 G729/8000

a=fmtp:18 annexb=no

a=rtpmap:9 G722/8000

a=fmtp:101 0-15

a=rtpmap:101 telephone-event/8000

a=ptime:20

a=sendrecv

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #36 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 469 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #37 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 469 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100 association_find: TCP port 5061 found 0000000006322100 association_find: TCP port 5061 found 0000000006322100 ssl_association_remove removing TCP 5061 - sip handle 0000000005B16760 association_add TCP port 5061 protocol sip.tcp handle 0000000005B16790

dissect_ssl enter frame #5 (first time) ssl_session_init: initializing ptr 0000000007071FB8 size 680 conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 98 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 93, ssl state 0x00 association_find: TCP port 8003 found 0000000000000000 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 1 offset 5 length 89 bytes, remaining 98 packet_from_server: is from server - FALSE ssl_find_private_key server 10.0.4.63:5061 dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #8 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 1448 dissect_ssl3_record found version 0x0301(TLS 1.0) -> state 0x11 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 74, ssl state 0x11 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13 dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57) dissect_ssl3_hnd_srv_hello can't generate keyring material record: offset = 79, reported_length_remaining = 1369 need_desegmentation: offset = 79, reported_length_remaining = 1369

dissect_ssl enter frame #9 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 1448 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 74, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x17 ssl_restore_session can't find stored session dissect_ssl3_hnd_srv_hello found CIPHER 0x0004 -> state 0x17 dissect_ssl3_hnd_srv_hello trying to generate keys ssl_generate_keyring_material not enough data to generate key (0x17 required 0x37 or 0x57) dissect_ssl3_hnd_srv_hello can't generate keyring material record: offset = 79, reported_length_remaining = 1369 need_desegmentation: offset = 79, reported_length_remaining = 1369

dissect_ssl enter frame #10 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 2125 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 2111, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 11 offset 5 length 2107 bytes, remaining 2116 record: offset = 2116, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 4, ssl state 0x17 packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 14 offset 2121 length 0 bytes, remaining 2125

dissect_ssl enter frame #14 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 182 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 134, ssl state 0x17 packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139 pre master encrypted[128]: 5d e9 aa 35 6e e1 12 6c 06 ef 2b c3 03 44 0f 7a f4 ed 00 f3 9d 95 93 98 a4 94 3a 35 51 ab 38 ff 9b a3 69 4e 46 51 c6 5f 53 ef 34 75 c5 fa 99 ef 4d 4a 7e dc ab 4d b7 80 3e a0 55 cb e3 f2 c0 04 ff da 57 d6 35 bb 3d 63 aa 4d e0 87 2b 29 58 50 d4 c0 45 04 f3 2a 6d 06 da c3 e3 6a f9 cd 4b 9e 03 a0 7b 0f 60 cf dc 9d 9f 29 c7 40 a7 20 f7 5c f6 c8 0c 0a 3c d0 7f a5 4f e0 19 2f 47 41 2d 7e ssl_decrypt_pre_master_secret:RSA_private_decrypt pcry_private_decrypt: stripping 79 bytes, decr_len 127 decrypted_unstrip_pre_master[127]: 02 bc 5b 1e a2 bd 1c 4d 26 2c 12 31 af 1b ac 10 07 e8 a1 f8 93 ea 18 95 8b 9e 64 7f a4 1b 08 52 a8 34 53 c1 58 f7 be 06 6e eb d3 6d 32 61 e0 d8 ba f7 62 b8 b0 1e 1a 4d ea 97 ff 05 f9 42 d5 f7 d4 a6 4c 9f c1 ed e4 94 91 5c 1f 74 d2 5d 00 03 01 51 f4 b5 f8 c8 cf e7 8f db 96 d3 1a b5 b2 d2 24 55 85 48 4b 89 46 23 19 9c 3a 2f e6 a9 79 8f 47 50 51 1c d1 4d 0e d1 a6 e1 fe 69 7f 32 c8 pre master secret[48]: 03 01 51 f4 b5 f8 c8 cf e7 8f db 96 d3 1a b5 b2 d2 24 55 85 48 4b 89 46 23 19 9c 3a 2f e6 a9 79 8f 47 50 51 1c d1 4d 0e d1 a6 e1 fe 69 7f 32 c8 ssl_generate_keyring_material:PRF(pre_master_secret) pre master secret[48]: 03 01 51 f4 b5 f8 c8 cf e7 8f db 96 d3 1a b5 b2 d2 24 55 85 48 4b 89 46 23 19 9c 3a 2f e6 a9 79 8f 47 50 51 1c d1 4d 0e d1 a6 e1 fe 69 7f 32 c8 client random[32]: 4e ca e6 1c 90 58 cf 50 c9 45 fb b7 f9 fc 34 36 54 53 c5 9c 54 36 c8 c4 a4 bd 61 05 fe 5e f5 77 server random[32]: 50 2a 58 c7 b7 e2 66 00 8c b1 66 68 e3 c6 5f b6 1b db 6d bc 83 4b 4e 6f ca 39 d2 cc b0 24 81 c4 tls_prf: tls_hash(md5 secret_len 24 seed_len 77 ) tls_hash: hash secret[24]: 03 01 51 f4 b5 f8 c8 cf e7 8f db 96 d3 1a b5 b2 d2 24 55 85 48 4b 89 46 tls_hash: hash seed[77]: 6d 61 73 74 65 72 20 73 65 63 72 65 74 4e ca e6 1c 90 58 cf 50 c9 45 fb b7 f9 fc 34 36 54 53 c5 9c 54 36 c8 c4 a4 bd 61 05 fe 5e f5 77 50 2a 58 c7 b7 e2 66 00 8c b1 66 68 e3 c6 5f b6 1b db 6d bc 83 4b 4e 6f ca 39 d2 cc b0 24 81 c4 hash out[48]: df b8 de 0f a1 50 08 a3 0c 78 f5 10 67 e0 d4 ed 6c 53 89 99 1b 76 f7 62 a6 55 c8 da b6 bf e7 5b 09 6f 8e ff 90 8c 45 5e 72 96 d0 d4 9e fe a2 e0 tls_prf: tls_hash(sha) tls_hash: hash secret[24]: 23 19 9c 3a 2f e6 a9 79 8f 47 50 51 1c d1 4d 0e d1 a6 e1 fe 69 7f 32 c8 tls_hash: hash seed[77]: 6d 61 73 74 65 72 20 73 65 63 72 65 74 4e ca e6 1c 90 58 cf 50 c9 45 fb b7 f9 fc 34 36 54 53 c5 9c 54 36 c8 c4 a4 bd 61 05 fe 5e f5 77 50 2a 58 c7 b7 e2 66 00 8c b1 66 68 e3 c6 5f b6 1b db 6d bc 83 4b 4e 6f ca 39 d2 cc b0 24 81 c4 hash out[48]: 8a 99 cc a8 29 36 9e 06 4c 95 0c f3 b2 a0 16 19 96 5d 60 d2 f8 2d 46 bb 48 10 f8 4b 4f 93 63 4c d6 3b fd 72 a7 2a 1f 45 82 7c aa 40 4c ce 69 98 PRF out[48]: 55 21 12 a7 88 66 96 a5 40 ed f9 e3 d5 40 c2 f4 fa 0e e9 4b e3 5b b1 d9 ee 45 30 91 f9 2c 84 17 df 54 73 8d 37 a6 5a 1b f0 ea 7a 94 d2 30 cb 78 master secret[48]: 55 21 12 a7 88 66 96 a5 40 ed f9 e3 d5 40 c2 f4 fa 0e e9 4b e3 5b b1 d9 ee 45 30 91 f9 2c 84 17 df 54 73 8d 37 a6 5a 1b f0 ea 7a 94 d2 30 cb 78 ssl_generate_keyring_material sess key generation tls_prf: tls_hash(md5 secret_len 24 seed_len 77 ) tls_hash: hash secret[24]: 55 21 12 a7 88 66 96 a5 40 ed f9 e3 d5 40 c2 f4 fa 0e e9 4b e3 5b b1 d9 tls_hash: hash seed[77]: 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 50 2a 58 c7 b7 e2 66 00 8c b1 66 68 e3 c6 5f b6 1b db 6d bc 83 4b 4e 6f ca 39 d2 cc b0 24 81 c4 4e ca e6 1c 90 58 cf 50 c9 45 fb b7 f9 fc 34 36 54 53 c5 9c 54 36 c8 c4 a4 bd 61 05 fe 5e f5 77 hash out[64]: 85 19 05 4d 00 32 38 02 fd a7 18 7b 63 b6 72 58 4b 86 4c 98 28 c3 6b d6 f5 61 a1 92 46 b8 a8 65 34 44 10 96 e2 c5 6c b5 a2 f4 61 5e 68 f0 e6 5e e1 6f f4 18 4a 08 9a 48 34 11 78 21 f4 6f eb 62 tls_prf: tls_hash(sha) tls_hash: hash secret[24]: ee 45 30 91 f9 2c 84 17 df 54 73 8d 37 a6 5a 1b f0 ea 7a 94 d2 30 cb 78 tls_hash: hash seed[77]: 6b 65 79 20 65 78 70 61 6e 73 69 6f 6e 50 2a 58 c7 b7 e2 66 00 8c b1 66 68 e3 c6 5f b6 1b db 6d bc 83 4b 4e 6f ca 39 d2 cc b0 24 81 c4 4e ca e6 1c 90 58 cf 50 c9 45 fb b7 f9 fc 34 36 54 53 c5 9c 54 36 c8 c4 a4 bd 61 05 fe 5e f5 77 hash out[64]: a1 3e f6 ca 12 2e 1d 17 fe d0 8e 89 3a 75 17 24 6a 9b 50 8c 4d 54 d4 26 0c 58 32 a2 27 65 15 b1 17 a4 de cc f8 ac fb a0 e6 c1 0a ce 37 33 8a e1 ec 01 18 90 05 d1 4e 4e 15 76 9e a8 8b b3 0b 56 PRF out[64]: 24 27 f3 87 12 1c 25 15 03 77 96 f2 59 c3 65 7c 21 1d 1c 14 65 97 bf f0 f9 39 93 30 61 dd bd d4 23 e0 ce 5a 1a 69 97 15 44 35 6b 90 5f c3 6c bf 0d 6e ec 88 4f d9 d4 06 21 67 e6 89 7f dc e0 34 key expansion[64]: 24 27 f3 87 12 1c 25 15 03 77 96 f2 59 c3 65 7c 21 1d 1c 14 65 97 bf f0 f9 39 93 30 61 dd bd d4 23 e0 ce 5a 1a 69 97 15 44 35 6b 90 5f c3 6c bf 0d 6e ec 88 4f d9 d4 06 21 67 e6 89 7f dc e0 34 Client MAC key[16]: 24 27 f3 87 12 1c 25 15 03 77 96 f2 59 c3 65 7c Server MAC key[16]: 21 1d 1c 14 65 97 bf f0 f9 39 93 30 61 dd bd d4 Client Write key[16]: 23 e0 ce 5a 1a 69 97 15 44 35 6b 90 5f c3 6c bf Server Write key[16]: 0d 6e ec 88 4f d9 d4 06 21 67 e6 89 7f dc e0 34 Client Write IV[8]: 00 00 00 00 00 00 00 00 Server Write IV[8]: f0 c4 27 00 00 00 00 00 ssl_generate_keyring_material ssl_create_decoder(client) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 16) ssl_generate_keyring_material ssl_create_decoder(server) ssl_create_decoder CIPHER: ARCFOUR decoder initialized (digest len 16) ssl_generate_keyring_material: client seq 0, server seq 0 ssl_save_session stored session id[32]: af dd 5f fb 98 29 74 f7 1c 0d 91 37 94 cd 95 8b ed 2e f0 b4 ea e0 5a 79 94 31 00 0e a0 e8 b0 89 ssl_save_session stored master secret[48]: 55 21 12 a7 88 66 96 a5 40 ed f9 e3 d5 40 c2 f4 fa 0e e9 4b e3 5b b1 d9 ee 45 30 91 f9 2c 84 17 df 54 73 8d 37 a6 5a 1b f0 ea 7a 94 d2 30 cb 78 dissect_ssl3_handshake session keys successfully generated record: offset = 139, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - FALSE ssl_change_cipher CLIENT record: offset = 145, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 32, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 32 Ciphertext[32]: f3 cc a1 1f 1c 04 c3 04 43 19 84 42 33 8e 0d d4 77 46 27 74 1a 9c 53 7d 86 cb 79 f9 c5 7d 61 2d Plaintext[32]: 14 00 00 0c 07 14 6d 39 0a ad 54 2f af 9e f9 f8 9a c9 2a 7c 36 69 7d cd 29 bf c8 c0 b0 e5 43 23 checking mac (len 16, version 301, ct 22 seq 0) tls_check_mac mac type:MD5 md 1 Mac[16]: 9a c9 2a 7c 36 69 7d cd 29 bf c8 c0 b0 e5 43 23 ssl_decrypt_record: mac ok dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16

dissect_ssl enter frame #15 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 6, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 32, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder ssl_decrypt_record ciphertext len 32 Ciphertext[32]: 9c 2e 94 9e 40 17 8f 0c 32 d6 28 49 ee 0b b9 86 f7 f0 a3 d8 30 50 f2 50 3b 55 f0 1d d4 0d 25 8d Plaintext[32]: 14 00 00 0c 70 f7 4f f8 13 a2 cc 62 1e 14 d6 ad 84 9b 01 62 07 02 e7 a0 59 4f fe e2 7a 1a d3 8c checking mac (len 16, version 301, ct 22 seq 0) tls_check_mac mac type:MD5 md 1 Mac[16]: 84 9b 01 62 07 02 e7 a0 59 4f fe e2 7a 1a d3 8c ssl_decrypt_record: mac ok dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16

dissect_ssl enter frame #16 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec packet_from_server: is from server - TRUE ssl_change_cipher SERVER record: offset = 6, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake decrypt_ssl3_record: app_data len 32, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available dissect_ssl3_handshake iteration 1 type 156 offset 11 length 3052702 bytes, remaining 43

dissect_ssl enter frame #18 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 513 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 508, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 508 Ciphertext[508]: f0 22 9a 0b ec 67 48 1e e9 45 85 8f 17 0c 40 6e d1 a6 58 9b 02 98 22 ba 76 d1 a7 b1 80 48 96 a5 0c 77 78 2c 62 74 20 40 80 ec 3a 6f d9 d5 02 20 35 8b eb 26 42 8a 6b 17 2d ae 55 59 61 83 48 6f f4 6d 45 9f d2 ab 1b e9 ca 90 86 3c d7 8c 04 45 1a 5b db d0 ec 3d a9 99 37 d9 d0 f0 6a 0e 3b e0 dc 2d a8 9f 43 31 a5 5f 16 90 68 17 82 c3 56 b4 fb cf 83 88 55 4e b0 15 ce c8 8b 26 97 b9 bc 3c 6a 1b e3 9d 3c 84 3d 39 ac 61 72 19 1e 69 1e 01 44 81 a1 b0 78 a5 4b b0 cb af 98 e6 da f9 4c f5 07 58 73 10 1e ca ff 9c 52 b9 04 91 0c d9 84 f5 94 e6 76 fd b3 19 19 ca b8 cd 79 92 8c 4d 60 6a da 03 66 d4 7f 80 73 45 45 f7 c1 52 4b 27 9e 8b 51 f4 0d 9c a3 e0 b2 49 81 0d 4e b0 16 d3 5f 2e e5 e9 7f 3a 2e a7 5f 5b 9b 52 08 96 9d 45 f0 73 70 4c 27 04 cd cc 61 9d 1d a0 e9 c3 59 09 d6 02 b0 7b f7 64 6c 98 77 f0 ec 2d 7b 1a b6 15 d2 b9 d3 47 ca 49 6a b7 11 f2 c9 14 93 ee 25 21 5d 06 37 fb b0 b0 72 36 2a 50 bb d3 42 9b 5c 60 91 20 16 92 3c 80 df 2e 53 a8 d4 ea 67 ac f2 f2 18 fe 90 0a fa f6 82 66 3d a3 68 0d 1f 8c 6c f9 1b c0 78 7f 1b db 9d 1b 9b 0f 67 a2 a8 ba 03 ac fe b7 3d 75 a4 46 fd d2 96 d0 2f c4 3a 5a 0e 13 a3 2a 30 a8 91 f9 b5 74 cf b4 62 5f f4 5f 19 46 d6 5a 17 fd 7b d6 83 08 69 d1 92 49 fd 83 f1 14 60 b6 cd e1 aa 4c 20 83 04 39 4a 23 db d0 ca 3b b6 8b 94 4d 9f 48 7c 60 18 f2 31 07 f1 9a cf 08 76 d0 73 ac 9c d6 f3 ac 26 67 62 6c 7d 12 6b 09 28 28 99 28 c0 5b 4d 13 a8 ad be fb 43 24 70 4f 1c 48 c5 91 b3 35 3b 74 fb 6b 98 fb df 0f ef 91 af 24 e9 22 a2 7a 1b 16 88 ac 9d 9a 85 f8 f3 23 d2 c7 18 f4 bd 31 e9 7f 02 6a d7 1a 18 9b ssl_decrypt_record: allocating 540 bytes for decrypt data (old len 32) Plaintext[508]: 52 45 47 49 53 54 45 52 20 73 69 70 3a 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 20 53 49 50 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 4c 53 20 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 36 33 33 32 32 31 36 33 30 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 31 32 37 39 38 38 34 36 30 36 0d 0a 54 6f 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 0d 0a 43 61 6c 6c 2d 49 44 3a 20 38 30 30 35 33 37 33 39 33 40 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 43 53 65 71 3a 20 31 20 52 45 47 49 53 54 45 52 0d 0a 43 6f 6e 74 61 63 74 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 74 72 61 6e 73 70 6f 72 74 3d 54 4c 53 3e 0d 0a 41 6c 6c 6f 77 3a 20 49 4e 56 49 54 45 2c 20 49 4e 46 4f 2c 20 50 52 41 43 4b 2c 20 41 43 4b 2c 20 42 59 45 2c 20 43 41 4e 43 45 4c 2c 20 4f 50 54 49 4f 4e 53 2c 20 4e 4f 54 49 46 59 2c 20 52 45 47 49 53 54 45 52 2c 20 53 55 42 53 43 52 49 42 45 2c 20 52 45 46 45 52 2c 20 50 55 42 4c 49 53 48 2c 20 55 50 44 41 54 45 2c 20 4d 45 53 53 41 47 45 0d 0a 4d 61 78 2d 46 6f 72 77 61 72 64 73 3a 20 37 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 65 61 6c 69 6e 6b 20 53 49 50 2d 54 32 38 50 20 32 2e 36 31 2e 30 2e 37 30 0d 0a 45 78 70 69 72 65 73 3a 20 36 30 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d 0a 8c 2f bf 4e df 16 d6 8f 3e b0 cb 65 72 52 e5 28 checking mac (len 492, version 301, ct 23 seq 1) tls_check_mac mac type:MD5 md 1 Mac[16]: 8c 2f bf 4e df 16 d6 8f 3e b0 cb 65 72 52 e5 28 ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 492, seq = 0, nxtseq = 492 association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 492 decrypted app data fragment: REGISTER sip:10.0.4.63:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK633221630

From: <sip:[email protected]:5061>;tag=1279884606

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 1 REGISTER

Contact: <sip:[email protected]:5062;transport=TLS>

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Expires: 60

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #19 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 523 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 518, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #20 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 523 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 518, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #22 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 677 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 672, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 672 Ciphertext[672]: 6e 67 b7 b4 af ed f2 e2 8e b7 f3 d2 f0 d6 2c 72 7f c8 06 23 e4 44 98 d0 5c d4 61 9d 8f 80 a5 9b ec d8 b0 65 f6 f6 67 8e 1b e0 87 d5 f7 ea eb 78 dd 3a d8 e1 e5 2d b3 df ed df 09 af 99 ab 5a be c7 d0 e9 6e 63 d5 cd 91 ef 30 9e 9d ce 2c d5 56 19 e2 98 a1 6e 15 0b ce 5f 40 ab dc 1b 48 8d 18 94 f6 6c 60 ea 1d fa 27 8b 89 e4 7f ed c2 3b 8c c3 3a 18 e5 88 7a ee 75 cf 7e cb 64 b4 73 a0 d5 11 a3 6a 4c 37 56 d3 04 a2 46 33 1e d0 b2 32 e3 e6 bc 47 be c1 39 bb ff d2 a0 d5 5c 02 f0 dd 97 c2 bc b6 ff 75 df 15 1d 8d 3b aa ab 43 e3 2e 20 44 4a 65 99 53 33 75 ce 6f 00 8c 8a 79 01 26 3f 59 f3 56 ce c7 a1 39 d5 8c 64 f0 c9 5f f3 55 29 ad be 1a 32 76 e5 da d8 d3 db 03 b5 17 de 9c e4 80 dc 17 8c 68 89 73 28 13 b0 92 48 4b e1 7d 91 23 24 c8 be 3e 4c c6 93 59 ff 8a 57 b4 54 66 3e a6 bd 93 c4 7d d8 60 1c 59 bb 24 f6 25 da 46 39 51 2f b7 cb 59 fe 85 76 6c 9a 14 b5 b4 ce 38 2e f1 33 99 e1 d0 5a eb 2d 7f cd a4 44 c4 20 de 7b c5 19 96 3f 35 94 22 9e 1c e3 b2 fc 36 86 08 95 a9 cf 07 d0 75 9a 7b f0 ee a8 f7 8f 47 a1 17 e3 50 46 21 04 56 a8 cb 04 e3 c5 a9 d2 f6 8c 0c e8 db 08 b8 d0 2d 4f fd ed 61 4a 5e 92 b1 ab 8d fc 4e 86 c5 94 95 36 13 59 e8 f6 5a c2 bd c2 20 c6 f5 74 e6 34 26 b1 fc 69 da 48 72 f2 23 4c 71 fc c0 af 12 f9 4a e6 dd c6 e8 a8 7f 67 90 52 c1 1e a2 bb 78 00 a8 44 36 4a c5 8b d7 97 50 ea f1 10 30 ac 88 99 4c a6 6d 0a 34 59 99 c8 cf 3e ff a0 e2 3f ea be 0a f9 05 fc c6 24 91 89 1a b1 a9 23 8e af 84 0c de 92 67 41 2c c6 86 05 bf 52 46 69 45 7e 63 61 0a 8c 3b c6 ed a2 40 b3 74 2e 34 ce 4f d0 41 84 49 29 2b 3a 63 1a 7e 38 40 04 f8 62 1a ea c5 08 e6 8a 2e 0b 0c 9a 10 f2 1a ff d6 52 5a 10 22 b8 40 18 cd 66 93 3e 42 f4 d6 43 d1 6a 9a 86 7f 93 f8 f1 f2 90 3f cc 92 a1 a5 ff 58 7d 1f 43 90 de 7f 32 bb 2d 3a bf 77 71 32 e3 63 46 ef 9e a6 99 d2 de 00 74 b8 f3 32 3e 57 af 1d b0 41 aa 70 fc b0 df e9 54 fc c9 a4 95 73 40 4f d9 2d ef c8 8b a9 f3 a0 d0 68 13 d6 f0 1d 26 bb 0a 3e e5 ed 82 40 b1 a4 95 db 2d 47 9e 5c 36 de 71 ef 2f 56 9a 95 a6 65 aa 6b ab c7 3e b1 35 5d fe 77 e0 6c 68 c7 87 64 82 4b a7 24 17 5a af 64 2d ssl_decrypt_record: allocating 704 bytes for decrypt data (old len 540) Plaintext[672]: 52 45 47 49 53 54 45 52 20 73 69 70 3a 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 20 53 49 50 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 4c 53 20 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 31 38 34 37 32 38 33 38 38 30 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 31 32 37 39 38 38 34 36 30 36 0d 0a 54 6f 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 0d 0a 43 61 6c 6c 2d 49 44 3a 20 38 30 30 35 33 37 33 39 33 40 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 43 53 65 71 3a 20 32 20 52 45 47 49 53 54 45 52 0d 0a 43 6f 6e 74 61 63 74 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 74 72 61 6e 73 70 6f 72 74 3d 54 4c 53 3e 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 44 69 67 65 73 74 20 75 73 65 72 6e 61 6d 65 3d 22 74 65 73 74 30 30 31 22 2c 20 72 65 61 6c 6d 3d 22 43 61 6c 6c 2d 65 58 22 2c 20 6e 6f 6e 63 65 3d 22 31 33 35 36 61 37 37 62 22 2c 20 75 72 69 3d 22 73 69 70 3a 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 22 2c 20 72 65 73 70 6f 6e 73 65 3d 22 37 31 31 38 65 39 32 32 38 62 65 62 32 37 31 33 34 35 61 30 66 65 32 62 63 38 61 64 32 33 33 32 22 2c 20 61 6c 67 6f 72 69 74 68 6d 3d 4d 44 35 0d 0a 41 6c 6c 6f 77 3a 20 49 4e 56 49 54 45 2c 20 49 4e 46 4f 2c 20 50 52 41 43 4b 2c 20 41 43 4b 2c 20 42 59 45 2c 20 43 41 4e 43 45 4c 2c 20 4f 50 54 49 4f 4e 53 2c 20 4e 4f 54 49 46 59 2c 20 52 45 47 49 53 54 45 52 2c 20 53 55 42 53 43 52 49 42 45 2c 20 52 45 46 45 52 2c 20 50 55 42 4c 49 53 48 2c 20 55 50 44 41 54 45 2c 20 4d 45 53 53 41 47 45 0d 0a 4d 61 78 2d 46 6f 72 77 61 72 64 73 3a 20 37 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 65 61 6c 69 6e 6b 20 53 49 50 2d 54 32 38 50 20 32 2e 36 31 2e 30 2e 37 30 0d 0a 45 78 70 69 72 65 73 3a 20 36 30 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d 0a 0a 53 eb b7 50 8b 49 11 01 51 1b f2 75 b5 2a 2f checking mac (len 656, version 301, ct 23 seq 2) tls_check_mac mac type:MD5 md 1 Mac[16]: 0a 53 eb b7 50 8b 49 11 01 51 1b f2 75 b5 2a 2f ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 656, seq = 492, nxtseq = 1148 association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 656 decrypted app data fragment: REGISTER sip:10.0.4.63:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1847283880

From: <sip:[email protected]:5061>;tag=1279884606

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 2 REGISTER

Contact: <sip:[email protected]:5062;transport=TLS>

Authorization: Digest username="test001", realm="Call-eX", nonce="1356a77b", uri="sip:10.0.4.63:5061", response="7118e9228beb271345a0fe2bc8ad2332", algorithm=MD5

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Expires: 60

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #23 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 554 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 549, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #24 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 554 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 549, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #26 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 904 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 899, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 899 Ciphertext[899]: 2a c5 1c f1 2e d6 04 fc e9 c3 2b b0 a1 ee 76 bf 48 d3 84 a0 8f 32 e4 bb 5e 66 93 20 eb c8 78 3a 68 95 45 77 20 66 5c b0 c3 2c 33 fb a9 a1 18 18 60 8d cd ee 47 8d 5d 4e 98 c7 9f 56 cb f9 63 06 fb 99 b2 28 60 bc ee 7f 58 ee bd 0a f9 7b 0c ef 06 77 b3 94 f1 dd 68 2d 96 9f 37 b3 d5 6d 13 5e 3b 47 8e ab 40 e5 da 71 27 d1 05 90 70 fb e4 4a 04 0b 35 4c 40 f2 32 89 9b ef 98 2c d3 5b 52 5d 5d 7f 2b b2 8c 45 cb 5c 29 28 e7 21 0e 76 13 18 90 18 ba 0e af 21 52 eb 3c f0 c2 1f ec 90 4e 9d 8f c6 e9 58 05 3a 17 30 0d d4 a3 32 74 15 78 f2 18 19 dc 96 8b 51 97 8f b0 ab c9 4d 31 1f 7e 82 9a d5 a8 ac 49 e6 2e 97 e6 14 43 ec 6b 58 ba ab 82 ff 7a 65 f6 3a 1d 33 bd ee be cb dc 04 46 97 92 2a 33 c7 40 78 db a8 6e 14 ba b5 20 dd 84 c8 61 cc 59 7d 47 f8 6e 35 50 c5 8a ff fa cd 0e 24 e4 6e ca f8 b5 fb 05 7f 01 22 c1 7d 8c 11 4b b2 b5 06 60 03 05 78 7a 3b 29 be 94 dc b8 c9 58 fd 28 cb 31 0e 73 63 d7 85 da a2 59 e5 a0 6c 04 fc a9 77 ee 41 11 f3 df ad ae c0 3c 06 54 3c 0d 91 94 a3 12 06 53 81 a4 c0 82 c8 6d f4 4f eb 5d 6a e3 cf fd 7b 27 1c 8b bc ea 5a 74 ae b8 17 21 5d a7 10 5c 25 cc 74 fb ad 44 bb 3c e5 0e 79 fd f9 4e 38 0f 38 b1 79 be 33 4d fe 91 ab 2b e2 0a f1 d0 ac 02 84 f7 9d 51 40 09 b6 51 17 f0 82 1c 74 75 02 27 f8 84 b0 7e 11 2d 50 02 10 a3 ce 03 73 63 c4 6d 12 2a d9 c5 a4 6f 4c 08 f4 63 f9 04 82 26 af 11 e4 14 dc 47 e4 be 99 9c eb 56 59 97 c5 70 d2 cd 0b 62 9d 15 5b 71 52 67 2f 76 2f b3 52 1e 40 80 5a 7f 00 f5 b5 c9 7a 9f 31 f3 ca 58 62 ca 31 34 93 5d 82 e7 2b 7e 9f 21 57 56 5c bc 2f 0a 09 a8 5b bf 5a c3 c8 f4 ad eb d5 87 fa c3 3e 36 82 65 43 30 99 51 43 60 44 62 7d 21 5c 0c 0a 8b 62 84 20 7c 01 af 3d 57 55 8d d0 d9 09 e5 78 03 2f 1d 73 c3 df 44 69 b9 29 72 a2 e0 44 d5 a9 44 30 3d d8 2b 64 30 c8 07 f3 11 63 50 49 b8 76 5a 97 19 42 a4 fe d7 e1 f4 09 67 20 cb 87 67 03 f3 f6 61 24 40 34 46 78 17 7a a8 53 97 35 9b ef 35 93 cd 89 f1 7b 94 c4 68 01 87 d4 f8 81 95 af c0 0d 42 d2 c6 8e e7 23 e7 96 99 29 dc 86 27 1e c6 3e 37 e1 f7 02 39 d3 22 a8 08 30 11 03 c0 91 1e 12 4d ff 1f eb 8b ad 46 11 ac e0 f6 08 b4 e1 cb f9 e4 71 1e b9 7b 1e 8e 57 7e 64 af 8a dc e4 69 58 c8 70 43 46 ae bc 6f d1 6e 83 39 61 a1 7b 47 f2 7c 76 0e 23 06 b9 3c 6c 37 fa 55 fe cc ae cc 89 f3 48 be 61 18 53 0a 5c 01 86 9b 1e f1 f4 60 fb 66 84 75 df 2e 37 9a 13 af 8f 26 87 91 38 79 36 18 8a f4 2d 0d 0a 9e 1f 6f 96 6f 14 ca f0 64 3e 02 0b b5 73 41 3d 50 38 60 ba 0d df a6 fe a1 88 ca 99 a6 22 6a 34 64 0d 43 c4 b9 7b c3 f8 5f 31 a3 35 2b 95 81 ce f5 b3 a4 af 43 9c c8 48 6a 88 ec dd 4c 98 01 89 43 53 34 69 b3 33 ad 1f d4 02 7a 95 ed c5 84 77 a0 67 f1 61 4d 32 d9 13 e5 52 aa e2 b4 74 6b 62 44 3c 89 4b 59 8b f7 28 0b 67 d8 ea d9 0a 30 67 c7 02 69 64 18 80 4a 54 06 e3 49 b4 3b 15 24 92 fd 51 f0 67 14 5c 2b ac c8 ba 3a ssl_decrypt_record: allocating 931 bytes for decrypt data (old len 704) Plaintext[899]: 49 4e 56 49 54 45 20 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 20 53 49 50 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 4c 53 20 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 31 39 39 35 33 39 37 39 38 30 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 36 30 37 34 39 31 33 32 39 0d 0a 54 6f 3a 20 3c 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 0d 0a 43 61 6c 6c 2d 49 44 3a 20 31 30 37 31 31 32 39 39 35 31 40 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 43 53 65 71 3a 20 31 20 49 4e 56 49 54 45 0d 0a 43 6f 6e 74 61 63 74 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 74 72 61 6e 73 70 6f 72 74 3d 54 4c 53 3e 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 73 64 70 0d 0a 41 6c 6c 6f 77 3a 20 49 4e 56 49 54 45 2c 20 49 4e 46 4f 2c 20 50 52 41 43 4b 2c 20 41 43 4b 2c 20 42 59 45 2c 20 43 41 4e 43 45 4c 2c 20 4f 50 54 49 4f 4e 53 2c 20 4e 4f 54 49 46 59 2c 20 52 45 47 49 53 54 45 52 2c 20 53 55 42 53 43 52 49 42 45 2c 20 52 45 46 45 52 2c 20 50 55 42 4c 49 53 48 2c 20 55 50 44 41 54 45 2c 20 4d 45 53 53 41 47 45 0d 0a 4d 61 78 2d 46 6f 72 77 61 72 64 73 3a 20 37 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 65 61 6c 69 6e 6b 20 53 49 50 2d 54 32 38 50 20 32 2e 36 31 2e 30 2e 37 30 0d 0a 53 75 70 70 6f 72 74 65 64 3a 20 72 65 70 6c 61 63 65 73 0d 0a 41 6c 6c 6f 77 2d 45 76 65 6e 74 73 3a 20 74 61 6c 6b 2c 68 6f 6c 64 2c 63 6f 6e 66 65 72 65 6e 63 65 2c 72 65 66 65 72 2c 63 68 65 63 6b 2d 73 79 6e 63 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 33 30 32 0d 0a 0d 0a 76 3d 30 0d 0a 6f 3d 2d 20 32 30 30 30 30 20 32 30 30 30 30 20 49 4e 20 49 50 34 20 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 73 3d 53 44 50 20 64 61 74 61 0d 0a 63 3d 49 4e 20 49 50 34 20 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 74 3d 30 20 30 0d 0a 6d 3d 61 75 64 69 6f 20 31 31 37 38 30 20 52 54 50 2f 41 56 50 20 30 20 38 20 31 38 20 39 20 31 30 31 0d 0a 61 3d 72 74 70 6d 61 70 3a 30 20 50 43 4d 55 2f 38 30 30 30 0d 0a 61 3d 72 74 70 6d 61 70 3a 38 20 50 43 4d 41 2f 38 30 30 30 0d 0a 61 3d 72 74 70 6d 61 70 3a 31 38 20 47 37 32 39 2f 38 30 30 30 0d 0a 61 3d 66 6d 74 70 3a 31 38 20 61 6e 6e 65 78 62 3d 6e 6f 0d 0a 61 3d 72 74 70 6d 61 70 3a 39 20 47 37 32 32 2f 38 30 30 30 0d 0a 61 3d 66 6d 74 70 3a 31 30 31 20 30 2d 31 35 0d 0a 61 3d 72 74 70 6d 61 70 3a 31 30 31 20 74 65 6c 65 70 68 6f 6e 65 2d 65 76 65 6e 74 2f 38 30 30 30 0d 0a 61 3d 70 74 69 6d 65 3a 32 30 0d 0a 61 3d 73 65 6e 64 72 65 63 76 0d 0a 10 69 30 60 1b 65 e5 22 93 1f ce 8f 46 28 01 a0 checking mac (len 883, version 301, ct 23 seq 3) tls_check_mac mac type:MD5 md 1 Mac[16]: 10 69 30 60 1b 65 e5 22 93 1f ce 8f 46 28 01 a0 ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 883, seq = 1148, nxtseq = 2031 association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 883 decrypted app data fragment: INVITE sip:[email protected]:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1995397980

From: <sip:[email protected]:5061>;tag=607491329

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 1 INVITE

Contact: <sip:[email protected]:5062;transport=TLS>

Content-Type: application/sdp

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Supported: replaces

Allow-Events: talk,hold,conference,refer,check-sync

Content-Length: 302

v=0

o=- 20000 20000 IN IP4 10.0.0.172

s=SDP data

c=IN IP4 10.0.0.172

t=0 0

m=audio 11780 RTP/AVP 0 8 18 9 101

a=rtpmap:0 PCMU/8000

a=rtpmap:8 PCMA/8000

a=rtpmap:18 G729/8000

a=fmtp:18 annexb=no

a=rtpmap:9 G722/8000

a=fmtp:101 0-15

a=rtpmap:101 telephone-event/8000

a=ptime:20

a=sendrecv

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #27 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 517 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 512, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #28 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 517 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 512, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #30 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 275 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 270, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 270 Ciphertext[270]: 13 9f d1 a9 be bb c9 d3 40 1b ab 82 25 09 19 5c a4 18 2f c4 26 f3 44 5c b2 32 50 9c 52 67 9d c9 a5 19 41 4e dd b5 05 ec 55 da ba 7f 84 b6 17 a7 87 03 12 5e f8 13 a4 c4 fa 61 f4 91 14 f7 74 e8 22 00 7f 5c 93 d5 a7 a7 15 fc 0b 00 6e 68 1d 59 f7 e0 a2 26 78 05 15 d9 5e 26 62 67 1d b2 73 82 88 4d 4f c6 59 a3 32 c0 6a 80 31 b9 af 92 1d da 29 b4 4e ad f8 bc 8a 31 f6 3a 12 05 6f 2d a3 4e a2 38 f1 83 9d 8c f8 01 a0 40 cd e2 53 af 8f 44 57 e3 9e 24 bb 72 68 ac 6d 95 41 18 c4 a7 70 d0 32 98 af 49 97 42 08 d2 ea d7 95 81 1a 6f c1 76 f3 47 a4 77 11 b6 99 9c aa 90 2d f6 03 99 8c 4b 29 a7 df c6 1e fb e6 85 09 7d 0f 42 55 2a 0e 16 bd fd b6 fa eb 06 77 bc e9 5c ed 2b ca 50 9b 10 dc 83 02 b7 30 a8 96 d9 08 f8 45 83 09 5d 75 a4 ce 42 6e 8b 5f 99 60 40 5e 78 94 df 09 6f e5 08 e7 30 92 f0 dc 92 dc 48 c8 8d ba 1e b4 53 Plaintext[270]: 41 43 4b 20 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 20 53 49 50 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 4c 53 20 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 31 39 39 35 33 39 37 39 38 30 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 36 30 37 34 39 31 33 32 39 0d 0a 54 6f 3a 20 3c 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 61 73 35 38 31 38 30 32 35 63 0d 0a 43 61 6c 6c 2d 49 44 3a 20 31 30 37 31 31 32 39 39 35 31 40 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 43 53 65 71 3a 20 31 20 41 43 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d 0a e9 24 cb 24 90 ab ce 06 e4 77 f9 01 3e 49 59 02 checking mac (len 254, version 301, ct 23 seq 4) tls_check_mac mac type:MD5 md 1 Mac[16]: e9 24 cb 24 90 ab ce 06 e4 77 f9 01 3e 49 59 02 ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 254, seq = 2031, nxtseq = 2285 association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 254 decrypted app data fragment: ACK sip:[email protected]:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1995397980

From: <sip:[email protected]:5061>;tag=607491329

To: <sip:[email protected]:5061>;tag=as5818025c

Call-ID: [email protected]

CSeq: 1 ACK

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #33 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 1070 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 1065, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 1065 Ciphertext[1065]: af ec ba 53 3b a6 5c 51 6d b5 35 6b 35 14 cc a2 c9 04 ab 47 2c 34 73 d5 eb 71 d6 56 bb 40 df ca 72 26 fa 13 ce cd 33 e7 b2 a0 81 ad bc df 88 43 82 06 5a 05 d7 1d 01 cc 5c bc de 42 43 2c 66 53 fd b1 69 36 db d4 f6 c8 6d fe 28 fb d6 a2 6e 4a 92 c1 f7 28 f0 4a 73 5a 26 85 51 af 1c 94 0a 1f 1c b1 e5 98 c0 d8 f7 79 0c 4e 05 5b 39 a9 08 b4 ed 22 94 47 70 d7 ea 8c 22 c9 92 26 f5 af b6 1f db 1a 6f 90 28 1a db 97 43 fb de f5 df 66 02 5d d0 ae 99 e2 32 8c 60 57 b9 41 f3 56 f8 db cc 17 cb 48 3d cc 18 40 c8 11 57 8d 71 ca 21 08 ef eb da 7b ea 32 a2 8b c3 bd be 2b 79 f2 55 4a 34 e9 ee 8a ca 95 32 32 96 d6 c9 4d 5d 88 cb 59 f7 95 68 5c fa 0c f1 1d fb 95 46 8c 7e b3 43 9e 25 27 c0 7b 4e 6b 82 96 07 7c 76 b5 a2 49 41 66 f6 e0 04 ca 88 6b 36 78 15 89 cb 00 14 a3 ec e1 b6 80 89 9a dd 65 37 9f e0 41 b9 6c 00 e5 76 65 d1 ae 78 9b dd 36 93 7a c5 6f ad 96 f9 fa 54 98 3d 4a a0 57 b7 d1 93 28 b6 b1 50 ea 67 87 56 70 f0 9f 36 c2 44 fe 94 e8 b4 69 a9 70 f0 14 6f 03 8a 9a 37 29 24 17 04 a6 83 bf ee 37 89 ca 64 f3 b6 ea 8d aa 4e 28 ba d4 7b 98 0f 95 1b d8 3c ae aa 7c b4 20 b4 b8 96 c1 a8 84 c7 85 2b 48 6b e2 3a fa d6 3b e0 7d ef f7 e9 79 ca 7c 31 c6 09 5a db 80 01 8c da 6c 10 cd 40 e6 8c 18 fe d1 42 8a 91 7c c7 8c 70 68 5b f9 2f e9 81 5a 75 78 c8 14 0a ed be a4 16 da 68 8b 52 1b 37 83 d1 ba 28 f5 82 f7 ee 01 d5 41 2e a6 15 ae 67 cf 17 ca ec 78 73 c9 3f 7e 3c 25 bc 60 1a 28 0e e1 9c 3d 53 05 aa b3 7e 17 c1 f9 c5 f9 62 cf bc bd 9a e8 81 21 10 e2 2e 22 80 67 da bb 71 10 05 c0 a4 cc 3b 52 86 6b 85 40 d7 44 9f 1c eb a2 aa 03 b6 98 44 6b 42 29 fe 85 9c 77 22 06 ff 81 1d 5a b8 ac 0f 9a 65 39 1f 01 02 54 0f f1 eb 83 a1 d6 47 d8 77 59 a6 ff 38 ec 4b 55 87 58 0f ac d9 af 33 cf 0a a0 d7 07 68 2d 69 e1 84 96 41 ed 38 34 a9 4d 20 32 d3 cd 39 09 7d bd 67 87 c4 4a d7 d9 79 0f f2 22 ba 06 dd e3 00 fa f7 9c cd 3a 31 36 5d c0 e2 e4 ce d2 5d 10 f3 08 a9 8b 11 78 ee a7 92 85 27 e3 c8 db 00 f3 b6 a7 9c 07 d4 cd b0 ef 31 19 bc 50 32 18 fe d6 9b 4e 9d e3 c0 90 15 ba 30 05 8c 93 8f 38 01 96 a8 ca aa 3d d0 5b c0 91 69 24 c8 9c 58 8c 47 b5 f6 4a af d2 f4 bd b1 b1 1f 59 52 7b e0 bd e4 a0 75 a6 15 6f 3c 8a b3 2b 8f 52 38 f1 be 0c 35 3d 92 29 93 4d 69 be 7b e8 dc c8 1e b4 e4 b8 23 dd 2c a3 85 99 16 d1 4c be 88 fe 4c 95 db 92 00 ae 57 7a f6 49 b2 cb 5f f4 0d ca 35 10 d5 71 dc ca 24 98 7a 01 8f 6f 19 54 54 34 e1 b2 14 d7 6a 7b 90 cd 1d b2 9a fd 48 bd 36 93 53 56 9b 2a 38 ea 37 52 ab 82 87 17 15 4a 52 eb 69 80 ae 7c 30 68 c8 20 c7 76 43 a6 e1 c9 bb 6e 38 11 23 63 fb 6b 22 24 3f 63 97 31 d2 fe a4 07 4d 68 d8 96 d7 38 60 f4 65 b0 c6 5c 91 23 22 04 39 d8 f7 dc 3f a0 28 65 ce d8 f7 41 90 02 2d 99 5c 6f 29 71 cd fb a9 d5 73 13 c8 32 6f 8f dc 74 ec e3 ff 1c 8f 70 f5 3a 86 4d 9f bd 6e 05 9e da 52 0b b0 7d bc 96 5f 29 2c 7f 04 ad 61 2e 17 59 5f ff 7f fc 3f 42 94 49 f7 d5 71 84 10 46 43 ed 8a e9 3c e9 d7 a9 61 67 97 e5 0a 3e b6 02 44 3f 7f 1b 91 5a af 1a e1 3f 16 08 51 7c e2 70 48 67 6d f5 4d d5 2d 60 07 2c bd 75 ff 06 e3 f0 df bd 22 0d 48 14 fb d5 a3 c3 d2 9b 05 f8 db 2a f7 51 48 ad 2c d3 a9 aa 2a 06 16 3c d6 0a 76 02 93 f0 57 05 6f eb 4c ce 3e dc 11 50 c3 ea f1 e2 e4 35 94 29 97 22 06 e8 aa 82 27 43 de e2 4c 9a 41 8e e5 23 cd 31 e6 cf b9 a1 dc 30 92 d9 95 4a b6 e8 05 fd 0a 4a c2 43 62 c6 b6 bf 2c f1 df ssl_decrypt_record: allocating 1097 bytes for decrypt data (old len 931) Plaintext[1065]: 49 4e 56 49 54 45 20 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 20 53 49 50 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 4c 53 20 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 31 38 31 31 34 35 38 35 35 38 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 36 30 37 34 39 31 33 32 39 0d 0a 54 6f 3a 20 3c 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 0d 0a 43 61 6c 6c 2d 49 44 3a 20 31 30 37 31 31 32 39 39 35 31 40 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 43 53 65 71 3a 20 32 20 49 4e 56 49 54 45 0d 0a 43 6f 6e 74 61 63 74 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 74 72 61 6e 73 70 6f 72 74 3d 54 4c 53 3e 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 44 69 67 65 73 74 20 75 73 65 72 6e 61 6d 65 3d 22 74 65 73 74 30 30 31 22 2c 20 72 65 61 6c 6d 3d 22 43 61 6c 6c 2d 65 58 22 2c 20 6e 6f 6e 63 65 3d 22 35 33 61 34 61 36 34 39 22 2c 20 75 72 69 3d 22 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 22 2c 20 72 65 73 70 6f 6e 73 65 3d 22 34 35 38 61 31 32 38 63 31 30 30 63 32 61 31 34 36 37 65 37 61 36 35 63 34 66 30 62 66 63 35 62 22 2c 20 61 6c 67 6f 72 69 74 68 6d 3d 4d 44 35 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 73 64 70 0d 0a 41 6c 6c 6f 77 3a 20 49 4e 56 49 54 45 2c 20 49 4e 46 4f 2c 20 50 52 41 43 4b 2c 20 41 43 4b 2c 20 42 59 45 2c 20 43 41 4e 43 45 4c 2c 20 4f 50 54 49 4f 4e 53 2c 20 4e 4f 54 49 46 59 2c 20 52 45 47 49 53 54 45 52 2c 20 53 55 42 53 43 52 49 42 45 2c 20 52 45 46 45 52 2c 20 50 55 42 4c 49 53 48 2c 20 55 50 44 41 54 45 2c 20 4d 45 53 53 41 47 45 0d 0a 4d 61 78 2d 46 6f 72 77 61 72 64 73 3a 20 37 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 65 61 6c 69 6e 6b 20 53 49 50 2d 54 32 38 50 20 32 2e 36 31 2e 30 2e 37 30 0d 0a 53 75 70 70 6f 72 74 65 64 3a 20 72 65 70 6c 61 63 65 73 0d 0a 41 6c 6c 6f 77 2d 45 76 65 6e 74 73 3a 20 74 61 6c 6b 2c 68 6f 6c 64 2c 63 6f 6e 66 65 72 65 6e 63 65 2c 72 65 66 65 72 2c 63 68 65 63 6b 2d 73 79 6e 63 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 33 30 32 0d 0a 0d 0a 76 3d 30 0d 0a 6f 3d 2d 20 32 30 30 30 30 20 32 30 30 30 30 20 49 4e 20 49 50 34 20 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 73 3d 53 44 50 20 64 61 74 61 0d 0a 63 3d 49 4e 20 49 50 34 20 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 74 3d 30 20 30 0d 0a 6d 3d 61 75 64 69 6f 20 31 31 37 38 30 20 52 54 50 2f 41 56 50 20 30 20 38 20 31 38 20 39 20 31 30 31 0d 0a 61 3d 72 74 70 6d 61 70 3a 30 20 50 43 4d 55 2f 38 30 30 30 0d 0a 61 3d 72 74 70 6d 61 70 3a 38 20 50 43 4d 41 2f 38 30 30 30 0d 0a 61 3d 72 74 70 6d 61 70 3a 31 38 20 47 37 32 39 2f 38 30 30 30 0d 0a 61 3d 66 6d 74 70 3a 31 38 20 61 6e 6e 65 78 62 3d 6e 6f 0d 0a 61 3d 72 74 70 6d 61 70 3a 39 20 47 37 32 32 2f 38 30 30 30 0d 0a 61 3d 66 6d 74 70 3a 31 30 31 20 30 2d 31 35 0d 0a 61 3d 72 74 70 6d 61 70 3a 31 30 31 20 74 65 6c 65 70 68 6f 6e 65 2d 65 76 65 6e 74 2f 38 30 30 30 0d 0a 61 3d 70 74 69 6d 65 3a 32 30 0d 0a 61 3d 73 65 6e 64 72 65 63 76 0d 0a a9 eb bd 38 80 79 97 4f a3 d5 9c 57 e3 df 03 9a checking mac (len 1049, version 301, ct 23 seq 5) tls_check_mac mac type:MD5 md 1 Mac[16]: a9 eb bd 38 80 79 97 4f a3 d5 9c 57 e3 df 03 9a ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 1049, seq = 2285, nxtseq = 3334 association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 1049 decrypted app data fragment: INVITE sip:[email protected]:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1811458558

From: <sip:[email protected]:5061>;tag=607491329

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 2 INVITE

Contact: <sip:[email protected]:5062;transport=TLS>

Authorization: Digest username="test001", realm="Call-eX", nonce="53a4a649", uri="sip:[email protected]:5061", response="458a128c100c2a1467e7a65c4f0bfc5b", algorithm=MD5

Content-Type: application/sdp

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Supported: replaces

Allow-Events: talk,hold,conference,refer,check-sync

Content-Length: 302

v=0

o=- 20000 20000 IN IP4 10.0.0.172

s=SDP data

c=IN IP4 10.0.0.172

t=0 0

m=audio 11780 RTP/AVP 0 8 18 9 101

a=rtpmap:0 PCMU/8000

a=rtpmap:8 PCMA/8000

a=rtpmap:18 G729/8000

a=fmtp:18 annexb=no

a=rtpmap:9 G722/8000

a=fmtp:101 0-15

a=rtpmap:101 telephone-event/8000

a=ptime:20

a=sendrecv

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #36 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 469 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 464, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #37 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 469 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 464, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #39 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 485 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 480, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #40 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 485 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 480, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #42 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 675 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 670, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 670 Ciphertext[670]: 5f f9 62 c0 eb c7 e4 26 bc 27 bf 3b c4 7d 72 97 ab 31 07 46 56 fb 67 db 5e 1d 90 1c ab 70 b1 5a ba 79 8b 74 02 39 69 81 87 f5 96 e9 3b 18 1c 1c ca cd db fc ea 7d 0d c2 e3 08 23 2c 17 0b b2 34 02 95 d0 f0 38 4e 54 f6 2d 9c 8e c5 f7 78 e7 51 ca 44 24 ef 68 4a 34 8d b2 3b 26 d5 b2 72 71 9c 40 a0 2b 17 28 1a bd 5c 9f 91 d8 03 4c 73 d7 eb 75 1e 52 14 bc af 6b 45 67 41 d4 a5 df 54 67 de f2 8f 86 6f dc b5 50 8a c9 b2 aa 8d 88 b5 79 21 57 91 a9 58 1d 29 8e 2a a1 92 34 10 b4 a8 b3 7e b6 89 bf 06 69 0d b1 1e ec 9a e0 00 a0 a4 fd 25 a1 a5 48 8b 7b 03 a6 5f 5a f3 40 52 e5 04 82 0f 5d e3 61 af 45 17 95 5b 03 0d 31 29 1d 42 7e 41 33 ed 5a 34 68 c0 1d 02 c1 80 b5 73 04 1c 71 d0 a7 c3 ab 8b a9 c4 56 67 2b 6c 25 6c dc 2c 23 fa 8d 69 17 e8 75 fe 0f c0 a0 8c fb a2 88 de d8 1f 63 2a 7f 73 87 5a 14 ab 5f cd f0 53 1c cd 35 fb d1 c9 1d 15 59 26 b1 7d c3 ce 8d ef a5 5b 7e f2 1b e8 77 31 58 41 c0 37 e8 37 b2 cc ac d3 92 e6 ec 18 df df b0 53 bc 2d d3 a2 2c 0f c1 25 32 25 ff 83 a6 f5 54 0a ca b7 9f 0e fe 2d 68 fa be 33 b9 37 09 0c 40 00 c2 b3 9d f3 19 c9 3b cd 7c 17 0b af c8 69 e0 eb 5f 9e ad e7 31 4b 1c d7 24 31 64 22 20 08 5c 83 f0 aa f1 a1 94 25 03 9c 29 20 9d 1e cd c4 ea 85 38 a6 f8 91 e8 3e c6 60 fa 7c 04 88 6c d2 d4 db 65 ed 8c bc c2 d3 e4 db 8a ba c6 b2 a8 3b 74 2c 03 d5 f5 f5 c6 a7 04 de ef a7 82 41 45 53 ec 4f 73 55 e1 ab 9e aa c6 86 68 8f 1a 0f 6e 81 09 f1 41 d4 f1 54 39 93 63 76 2f b8 6f ae 6f d0 79 53 8c 83 f6 0d 66 b0 ef 25 b0 3d f3 67 46 ed 3e 49 36 dc 05 e8 05 7c 08 6a 04 6d e0 74 72 7c 54 15 d5 cf 8c a4 25 4b 6e 24 c9 13 15 c2 3e 73 c3 39 51 c0 58 35 8a 28 8f c8 68 ce 35 9d 36 20 53 1b ed f9 1d ae 20 32 f8 ee 70 51 b2 74 db ac 0c f0 ae db 64 9d cd 67 e9 56 f4 97 65 38 4d 30 30 31 67 9f 96 d9 d0 92 2a 2d 25 03 a3 87 dc 74 80 2d 7d 3f 98 f8 6e c8 e4 3f 01 de 8a ce 84 8a 45 c6 77 53 04 92 bc 7b 84 08 82 c2 2a ab 83 cf f1 a3 67 87 54 2f 2d 50 37 fb ad 46 20 6f 60 ad 2c b9 2a 97 a9 5a 61 8f 7b ff 37 76 f3 1f 7c ce 10 e6 91 52 9e 28 73 b4 3d 49 4f f9 2f 49 af 4d 34 40 e6 c6 64 d5 3f ac b3 69 Plaintext[670]: 52 45 47 49 53 54 45 52 20 73 69 70 3a 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 20 53 49 50 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 4c 53 20 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 38 34 36 38 31 39 33 34 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 31 32 37 39 38 38 34 36 30 36 0d 0a 54 6f 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 0d 0a 43 61 6c 6c 2d 49 44 3a 20 38 30 30 35 33 37 33 39 33 40 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 43 53 65 71 3a 20 33 20 52 45 47 49 53 54 45 52 0d 0a 43 6f 6e 74 61 63 74 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 74 72 61 6e 73 70 6f 72 74 3d 54 4c 53 3e 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 44 69 67 65 73 74 20 75 73 65 72 6e 61 6d 65 3d 22 74 65 73 74 30 30 31 22 2c 20 72 65 61 6c 6d 3d 22 43 61 6c 6c 2d 65 58 22 2c 20 6e 6f 6e 63 65 3d 22 31 33 35 36 61 37 37 62 22 2c 20 75 72 69 3d 22 73 69 70 3a 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 22 2c 20 72 65 73 70 6f 6e 73 65 3d 22 37 31 31 38 65 39 32 32 38 62 65 62 32 37 31 33 34 35 61 30 66 65 32 62 63 38 61 64 32 33 33 32 22 2c 20 61 6c 67 6f 72 69 74 68 6d 3d 4d 44 35 0d 0a 41 6c 6c 6f 77 3a 20 49 4e 56 49 54 45 2c 20 49 4e 46 4f 2c 20 50 52 41 43 4b 2c 20 41 43 4b 2c 20 42 59 45 2c 20 43 41 4e 43 45 4c 2c 20 4f 50 54 49 4f 4e 53 2c 20 4e 4f 54 49 46 59 2c 20 52 45 47 49 53 54 45 52 2c 20 53 55 42 53 43 52 49 42 45 2c 20 52 45 46 45 52 2c 20 50 55 42 4c 49 53 48 2c 20 55 50 44 41 54 45 2c 20 4d 45 53 53 41 47 45 0d 0a 4d 61 78 2d 46 6f 72 77 61 72 64 73 3a 20 37 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 65 61 6c 69 6e 6b 20 53 49 50 2d 54 32 38 50 20 32 2e 36 31 2e 30 2e 37 30 0d 0a 45 78 70 69 72 65 73 3a 20 36 30 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d 0a 25 cd a4 2f 59 43 78 84 74 8c 2f 76 2f 93 74 85 checking mac (len 654, version 301, ct 23 seq 6) tls_check_mac mac type:MD5 md 1 Mac[16]: 25 cd a4 2f 59 43 78 84 74 8c 2f 76 2f 93 74 85 ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 654, seq = 3334, nxtseq = 3988 association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 654 decrypted app data fragment: REGISTER sip:10.0.4.63:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK84681934

From: <sip:[email protected]:5061>;tag=1279884606

To: <sip:[email protected]:5061>

Call-ID: [email protected]0.0.0.172

CSeq: 3 REGISTER

Contact: <sip:[email protected]:5062;transport=TLS>

Authorization: Digest username="test001", realm="Call-eX", nonce="1356a77b", uri="sip:10.0.4.63:5061", response="7118e9228beb271345a0fe2bc8ad2332", algorithm=MD5

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Expires: 60

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #43 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 534 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 529, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #44 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 534 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 529, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #46 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 676 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 671, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 671 Ciphertext[671]: 83 9d d3 77 35 8e 56 17 f6 7a 30 e7 fb d9 34 23 5b 71 9d 28 aa d8 ed 8f ab a9 13 e4 37 e9 f4 03 fb a1 72 11 94 36 d3 64 7d 51 42 a7 16 1d 2e 83 4e fd 86 b6 5f de f2 7c 56 fd 0d 8a 41 36 10 d5 fd 32 39 8a 81 bc 18 d9 57 13 57 15 78 68 68 19 9b 82 45 1d 2f 1e f7 1e 70 33 5b 4e ea 28 40 68 3b af 53 3d f6 cc 47 97 c0 3c 63 ea e4 55 6b d3 a6 15 f4 46 bb e9 7d 53 0d 19 ea ee 09 1c e7 74 35 75 6c 0e f8 f8 d6 a4 01 81 60 cf 1f b3 f9 bc 27 f9 12 c7 3a fc 04 dd 98 43 e3 2d 56 c9 27 12 75 c9 0f f8 2e 48 c6 a7 8d 0d 7a 79 c3 8a 4d 3c 8c 06 7d 96 76 2b 3f e1 f1 07 60 fc a9 ba e7 d1 ea f1 43 a6 4a a0 cd e8 b0 0c f0 a4 9d 2e 3b 3c 19 52 da 42 c1 c2 a7 4c 32 4a 58 b7 aa 37 cd 9f e3 80 ca fe 9a 9e 1b 55 70 d3 9e 7f 76 8c ab 63 44 8b 1a 9b fc 02 6f df 62 b9 47 1b b9 74 16 15 a4 14 79 4f 13 ef 2d 3f 8c 27 24 d9 60 fd 8c 46 d5 ad a3 a5 a3 d1 dd 3f 16 02 8f 3d de 8d 63 7a 63 66 ae 2e 01 99 63 ca 18 1b 54 05 5d 9e 0d 67 67 60 f5 d6 4e 58 1b 5a 0a 3e ad 53 4f b7 30 59 4a 36 2f 66 20 c3 f0 bf bf 6b 8e 2d 90 39 55 fd 7c 7a 96 7a 8b 7c 53 d3 bb dc ee ba 55 1b cf 69 8a df 1a b9 56 b8 c4 b0 26 40 1a 09 6a c4 b5 5b c4 ed 2e d8 d4 0c 09 6a dd 1e d7 6f 29 63 b9 19 9c 0d 5e f6 1e 91 43 0d a6 c8 ba 5b 32 a3 7c df 78 c3 9b 2a d9 77 a1 2f aa 01 37 14 5d 96 da 4c 7e 73 1a c5 30 f6 f5 5a 0b 09 0f a9 ae fd 8a e2 75 c2 7b b4 c5 78 3c 22 60 22 cb 44 62 28 80 d8 15 17 6b e4 f8 02 76 9a a7 4f b6 3b 94 20 b1 18 44 9f e4 0f 3c 8a c5 1a 06 a5 4d e6 58 49 ee d3 8d 24 d6 f7 65 55 27 67 89 4b e5 70 3d d9 75 3a f7 eb cb 07 cb 6c c7 41 7e 18 24 42 3b 8a 78 45 79 b6 6f ee 14 0c 03 85 b3 c1 72 1b f0 85 af 01 61 27 54 1b e7 08 37 0d c6 5d 97 ed 48 05 2c a1 ff 50 ef 0e f2 28 86 2d 3b b1 1c cf 35 1f b2 9f 7b d1 e8 85 40 aa d1 c0 b5 fe 6e 8d 91 ae d6 e3 d1 70 ce 3c 19 80 05 09 61 8d 1f 51 70 2c 43 bb 81 ae a3 29 e8 aa 04 16 81 49 22 86 5b 32 1d 5e 9c 7b 50 d8 ea 36 96 09 e9 95 05 b8 aa f3 ea 3a 3b 4a 49 f5 73 47 9a 7f 38 18 00 c7 06 24 3a cb 83 56 97 d0 0c f0 9c 38 09 5e f3 96 c0 30 88 f0 c4 8b 39 34 6d f8 f3 c6 4e c0 22 35 56 ba 11 Plaintext[671]: 52 45 47 49 53 54 45 52 20 73 69 70 3a 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 20 53 49 50 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 4c 53 20 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 39 36 32 35 34 33 37 31 34 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 31 32 37 39 38 38 34 36 30 36 0d 0a 54 6f 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 0d 0a 43 61 6c 6c 2d 49 44 3a 20 38 30 30 35 33 37 33 39 33 40 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 43 53 65 71 3a 20 34 20 52 45 47 49 53 54 45 52 0d 0a 43 6f 6e 74 61 63 74 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 74 72 61 6e 73 70 6f 72 74 3d 54 4c 53 3e 0d 0a 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 44 69 67 65 73 74 20 75 73 65 72 6e 61 6d 65 3d 22 74 65 73 74 30 30 31 22 2c 20 72 65 61 6c 6d 3d 22 43 61 6c 6c 2d 65 58 22 2c 20 6e 6f 6e 63 65 3d 22 30 34 61 38 62 32 33 33 22 2c 20 75 72 69 3d 22 73 69 70 3a 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 22 2c 20 72 65 73 70 6f 6e 73 65 3d 22 34 64 39 66 36 30 30 31 36 64 32 37 63 38 38 31 64 30 62 34 32 35 34 63 35 34 63 61 38 64 38 30 22 2c 20 61 6c 67 6f 72 69 74 68 6d 3d 4d 44 35 0d 0a 41 6c 6c 6f 77 3a 20 49 4e 56 49 54 45 2c 20 49 4e 46 4f 2c 20 50 52 41 43 4b 2c 20 41 43 4b 2c 20 42 59 45 2c 20 43 41 4e 43 45 4c 2c 20 4f 50 54 49 4f 4e 53 2c 20 4e 4f 54 49 46 59 2c 20 52 45 47 49 53 54 45 52 2c 20 53 55 42 53 43 52 49 42 45 2c 20 52 45 46 45 52 2c 20 50 55 42 4c 49 53 48 2c 20 55 50 44 41 54 45 2c 20 4d 45 53 53 41 47 45 0d 0a 4d 61 78 2d 46 6f 72 77 61 72 64 73 3a 20 37 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 65 61 6c 69 6e 6b 20 53 49 50 2d 54 32 38 50 20 32 2e 36 31 2e 30 2e 37 30 0d 0a 45 78 70 69 72 65 73 3a 20 36 30 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d 0a 9d dd fb ba 35 9a b3 b4 32 82 63 85 9d 8a 96 11 checking mac (len 655, version 301, ct 23 seq 7) tls_check_mac mac type:MD5 md 1 Mac[16]: 9d dd fb ba 35 9a b3 b4 32 82 63 85 9d 8a 96 11 ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 655, seq = 3988, nxtseq = 4643 association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 655 decrypted app data fragment: REGISTER sip:10.0.4.63:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK962543714

From: <sip:[email protected]:5061>;tag=1279884606

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 4 REGISTER

Contact: <sip:[email protected]:5062;transport=TLS>

Authorization: Digest username="test001", realm="Call-eX", nonce="04a8b233", uri="sip:10.0.4.63:5061", response="4d9f60016d27c881d0b4254c54ca8d80", algorithm=MD5

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Expires: 60

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #47 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 553 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 548, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #48 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 553 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 548, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #50 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 784 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 779, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #51 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 784 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 779, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #55 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 401 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 396, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 396 Ciphertext[396]: d1 df 6e 63 67 3d 5e b1 2b ec b0 f8 50 af eb 6d 6f 90 59 18 2f b3 e7 70 b8 1f 67 db 5b 87 11 c7 d9 c1 28 54 2f 25 c6 a5 d0 ef b1 ac bf 71 f7 b5 ed bc 65 d1 58 05 1e 2b bc ac e7 09 ff 09 78 c0 17 9d b4 32 c8 4b c7 f6 f7 94 40 fe d6 af 54 6c ca 4d b5 ec 4d 44 85 9d 1a 3a 0e 0d a5 56 99 5d 7e 21 86 ed 12 a1 33 47 a1 b8 83 29 8d e9 8f 3a 01 10 62 d1 99 77 65 b6 d7 8a e9 e6 b9 a8 ef 3e db 88 6b 91 91 87 8f ce ba 4e df 1b ad 18 4f d4 65 b3 91 86 22 2f 5f 27 83 68 07 2e 42 ff 7c 70 a0 7f 9a 2d 90 2f 07 3c b9 b0 54 66 d1 53 d7 c7 18 48 8d 48 b2 91 2f 2d 2e 51 ac 04 2b ef e1 ac 98 66 3a 49 ea 67 a6 f9 d8 e3 8f 70 fe 50 1d b9 1c 1f 84 8e bb 60 ac 40 8e b5 bb 50 36 12 bd 86 99 06 a0 ca e6 29 93 4e 33 03 0d f5 27 a6 6e 50 49 b6 14 75 e5 8c ee f4 ee 65 5b 94 56 2c 65 c8 ec 5e aa e6 b3 96 56 db a5 81 25 57 d7 91 be 37 90 e2 c3 24 18 e8 91 af da 52 bd cd f4 02 6e bd 78 d9 68 07 fc 69 99 f8 a3 ba 36 54 59 32 ce 9e 28 4f fd b6 cc e9 cd f2 9a ef 55 01 2d a3 b4 21 81 3b 33 ca db d9 45 4d 53 d2 05 a0 d0 d8 0e ee 1b 8a a1 08 4a 42 64 3a f5 84 85 9a bf 61 de 6c 60 f4 67 36 b7 a8 fb d4 50 27 4f 0b d8 46 b4 cf 0e 4a 7e 00 6e 5f 2b 48 28 29 bd 32 62 ce f0 50 a5 ed b1 74 20 1f 1c c2 59 19 7a 7e Plaintext[396]: 41 43 4b 20 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3b 74 72 61 6e 73 70 6f 72 74 3d 54 4c 53 20 53 49 50 2f 32 2e 30 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 4c 53 20 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 31 39 36 37 33 37 39 36 39 35 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 36 30 37 34 39 31 33 32 39 0d 0a 54 6f 3a 20 3c 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 61 73 33 34 33 35 39 36 37 62 0d 0a 43 61 6c 6c 2d 49 44 3a 20 31 30 37 31 31 32 39 39 35 31 40 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 43 53 65 71 3a 20 32 20 41 43 4b 0d 0a 43 6f 6e 74 61 63 74 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 30 2e 31 37 32 3a 35 30 36 32 3b 74 72 61 6e 73 70 6f 72 74 3d 54 4c 53 3e 0d 0a 4d 61 78 2d 46 6f 72 77 61 72 64 73 3a 20 37 30 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 65 61 6c 69 6e 6b 20 53 49 50 2d 54 32 38 50 20 32 2e 36 31 2e 30 2e 37 30 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d 0a 9e cd b7 a4 64 c7 80 6b c9 d1 69 66 d0 2e d1 53 checking mac (len 380, version 301, ct 23 seq 8) tls_check_mac mac type:MD5 md 1 Mac[16]: 9e cd b7 a4 64 c7 80 6b c9 d1 69 66 d0 2e d1 53 ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 380, seq = 4643, nxtseq = 5023 association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 380 decrypted app data fragment: ACK sip:[email protected]:5061;transport=TLS SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1967379695

From: <sip:[email protected]:5061>;tag=607491329

To: <sip:[email protected]:5061>;tag=as3435967b

Call-ID: [email protected]

CSeq: 2 ACK

Contact: <sip:[email protected]:5062;transport=TLS>

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #610 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 583 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 578, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #611 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 583 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 578, ssl state 0x3F packet_from_server: is from server - TRUE decrypt_ssl3_record: using server decoder decrypt_ssl3_record: no decoder available association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #613 (first time) conversation = 0000000007071880, ssl_session = 0000000007071FB8 record: offset = 0, reported_length_remaining = 301 dissect_ssl3_record: content_type 23 Application Data decrypt_ssl3_record: app_data len 296, ssl state 0x3F packet_from_server: is from server - FALSE decrypt_ssl3_record: using client decoder ssl_decrypt_record ciphertext len 296 Ciphertext[296]: 4d 95 c3 9d ee 7d 71 1a 38 3f d9 4c b0 82 68 5d c7 b6 d9 68 c3 dc c0 c8 33 ec e5 85 22 90 09 d8 68 cb f9 de cf a7 06 30 6d 7f 84 25 dc fb 25 97 d3 a4 ec 6a a3 a2 47 07 6c b7 1f 7e 01 c3 5a 1c da e7 6d a0 09 5f 70 95 fc d5 a7 1c 23 1e 58 fd 78 84 85 00 ab d7 98 49 9b 72 d5 4b ea bb 05 77 e8 a1 64 03 3a 16 a4 95 6a 13 83 98 c6 65 a6 14 e2 c8 33 d9 05 2b 6e 62 8f 39 7a 51 9b 86 83 b9 d9 65 2c a0 b3 c2 8a 56 05 a1 6e 6e d0 f6 9f 11 dc 7c 98 c6 c7 30 4e 8b 95 6f 88 4c 99 c4 98 89 b8 d9 d3 59 81 e9 a1 ba 6f b3 37 20 9f 49 74 b6 a6 7a 74 13 49 11 92 ba b2 97 38 4b d6 6d 60 d6 8c 67 6a 15 a8 55 48 33 f7 2f 3f 22 d7 6f 95 54 da 3f 24 3c c8 57 0e b0 ca f5 51 62 3e 59 2c 4e a3 62 a7 1d c5 07 38 ce fa f7 00 45 4f bf b2 a9 fd b3 51 5d 74 8a ef 85 5f 60 c8 95 88 1b 11 e5 9b 93 cf 68 47 18 f9 f1 db a1 05 22 84 1e c6 2b aa 9f ff 75 ce 80 ef 74 3b e5 3e dc 74 e4 a3 bb a3 15 e3 ba 9f 69 87 0d Plaintext[296]: 53 49 50 2f 32 2e 30 20 32 30 30 20 4f 4b 0d 0a 56 69 61 3a 20 53 49 50 2f 32 2e 30 2f 54 4c 53 20 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3b 62 72 61 6e 63 68 3d 7a 39 68 47 34 62 4b 34 65 38 31 30 63 38 33 3b 72 70 6f 72 74 0d 0a 46 72 6f 6d 3a 20 3c 73 69 70 3a 31 32 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 61 73 33 34 33 35 39 36 37 62 0d 0a 54 6f 3a 20 3c 73 69 70 3a 74 65 73 74 30 30 31 40 31 30 2e 30 2e 34 2e 36 33 3a 35 30 36 31 3e 3b 74 61 67 3d 36 30 37 34 39 31 33 32 39 0d 0a 43 61 6c 6c 2d 49 44 3a 20 31 30 37 31 31 32 39 39 35 31 40 31 30 2e 30 2e 30 2e 31 37 32 0d 0a 43 53 65 71 3a 20 31 30 32 20 42 59 45 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 59 65 61 6c 69 6e 6b 20 53 49 50 2d 54 32 38 50 20 32 2e 36 31 2e 30 2e 37 30 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d 0a 80 2f f9 7a 89 bd b3 21 44 82 c5 17 55 fe 0d ac checking mac (len 280, version 301, ct 23 seq 9) tls_check_mac mac type:MD5 md 1 Mac[16]: 80 2f f9 7a 89 bd b3 21 44 82 c5 17 55 fe 0d ac ssl_decrypt_record: mac ok ssl_add_data_info: new data inserted data_len = 280, seq = 5023, nxtseq = 5303 association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 280 decrypted app data fragment: SIP/2.0 200 OK

Via: SIP/2.0/TLS 10.0.4.63:5061;branch=z9hG4bK4e810c83;rport

From: <sip:[email protected]:5061>;tag=as3435967b

To: <sip:[email protected]:5061>;tag=607491329

Call-ID: [email protected]

CSeq: 102 BYE

User-Agent: Yealink SIP-T28P 2.61.0.70

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #5 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 98 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 1 offset 5 length 89 bytes, remaining 98

dissect_ssl enter frame #8 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1448 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 record: offset = 79, reported_length_remaining = 1369 need_desegmentation: offset = 79, reported_length_remaining = 1369

dissect_ssl enter frame #9 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1448 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 2 offset 5 length 70 bytes, remaining 79 record: offset = 79, reported_length_remaining = 1369 need_desegmentation: offset = 79, reported_length_remaining = 1369

dissect_ssl enter frame #10 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 2125 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 11 offset 5 length 2107 bytes, remaining 2116 record: offset = 2116, reported_length_remaining = 9 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 14 offset 2121 length 0 bytes, remaining 2125

dissect_ssl enter frame #14 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 182 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 16 offset 5 length 130 bytes, remaining 139 record: offset = 139, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec record: offset = 145, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16

dissect_ssl enter frame #15 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec record: offset = 6, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 20 offset 0 length 12 bytes, remaining 16

dissect_ssl enter frame #16 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec record: offset = 6, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 156 offset 11 length 3052702 bytes, remaining 43

dissect_ssl enter frame #18 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 513 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 492 decrypted app data fragment: REGISTER sip:10.0.4.63:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK633221630

From: <sip:[email protected]:5061>;tag=1279884606

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 1 REGISTER

Contact: <sip:[email protected]:5062;transport=TLS>

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Expires: 60

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #19 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 523 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #20 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 523 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #16 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 43 dissect_ssl3_record: content_type 20 Change Cipher Spec dissect_ssl3_change_cipher_spec record: offset = 6, reported_length_remaining = 37 dissect_ssl3_record: content_type 22 Handshake dissect_ssl3_handshake iteration 1 type 156 offset 11 length 3052702 bytes, remaining 43

dissect_ssl enter frame #22 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 677 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 656 decrypted app data fragment: REGISTER sip:10.0.4.63:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1847283880

From: <sip:[email protected]:5061>;tag=1279884606

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 2 REGISTER

Contact: <sip:[email protected]:5062;transport=TLS>

Authorization: Digest username="test001", realm="Call-eX", nonce="1356a77b", uri="sip:10.0.4.63:5061", response="7118e9228beb271345a0fe2bc8ad2332", algorithm=MD5

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Expires: 60

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #23 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 554 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #24 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 554 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #26 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 904 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 883 decrypted app data fragment: INVITE sip:[email protected]:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1995397980

From: <sip:[email protected]:5061>;tag=607491329

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 1 INVITE

Contact: <sip:[email protected]:5062;transport=TLS>

Content-Type: application/sdp

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Supported: replaces

Allow-Events: talk,hold,conference,refer,check-sync

Content-Length: 302

v=0

o=- 20000 20000 IN IP4 10.0.0.172

s=SDP data

c=IN IP4 10.0.0.172

t=0 0

m=audio 11780 RTP/AVP 0 8 18 9 101

a=rtpmap:0 PCMU/8000

a=rtpmap:8 PCMA/8000

a=rtpmap:18 G729/8000

a=fmtp:18 annexb=no

a=rtpmap:9 G722/8000

a=fmtp:101 0-15

a=rtpmap:101 telephone-event/8000

a=ptime:20

a=sendrecv

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #27 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 517 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #28 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 517 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #30 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 275 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 254 decrypted app data fragment: ACK sip:[email protected]:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1995397980

From: <sip:[email protected]:5061>;tag=607491329

To: <sip:[email protected]:5061>;tag=as5818025c

Call-ID: [email protected]

CSeq: 1 ACK

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #33 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 1070 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 1049 decrypted app data fragment: INVITE sip:[email protected]:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1811458558

From: <sip:[email protected]:5061>;tag=607491329

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 2 INVITE

Contact: <sip:[email protected]:5062;transport=TLS>

Authorization: Digest username="test001", realm="Call-eX", nonce="53a4a649", uri="sip:[email protected]:5061", response="458a128c100c2a1467e7a65c4f0bfc5b", algorithm=MD5

Content-Type: application/sdp

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Supported: replaces

Allow-Events: talk,hold,conference,refer,check-sync

Content-Length: 302

v=0

o=- 20000 20000 IN IP4 10.0.0.172

s=SDP data

c=IN IP4 10.0.0.172

t=0 0

m=audio 11780 RTP/AVP 0 8 18 9 101

a=rtpmap:0 PCMU/8000

a=rtpmap:8 PCMA/8000

a=rtpmap:18 G729/8000

a=fmtp:18 annexb=no

a=rtpmap:9 G722/8000

a=fmtp:101 0-15

a=rtpmap:101 telephone-event/8000

a=ptime:20

a=sendrecv

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #36 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 469 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #37 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 469 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #39 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 485 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #40 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 485 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #42 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 675 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 654 decrypted app data fragment: REGISTER sip:10.0.4.63:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK84681934

From: <sip:[email protected]:5061>;tag=1279884606

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 3 REGISTER

Contact: <sip:[email protected]:5062;transport=TLS>

Authorization: Digest username="test001", realm="Call-eX", nonce="1356a77b", uri="sip:10.0.4.63:5061", response="7118e9228beb271345a0fe2bc8ad2332", algorithm=MD5

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Expires: 60

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #43 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 534 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #44 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 534 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #46 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 676 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 655 decrypted app data fragment: REGISTER sip:10.0.4.63:5061 SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK962543714

From: <sip:[email protected]:5061>;tag=1279884606

To: <sip:[email protected]:5061>

Call-ID: [email protected]

CSeq: 4 REGISTER

Contact: <sip:[email protected]:5062;transport=TLS>

Authorization: Digest username="test001", realm="Call-eX", nonce="04a8b233", uri="sip:10.0.4.63:5061", response="4d9f60016d27c881d0b4254c54ca8d80", algorithm=MD5

Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Expires: 60

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

dissect_ssl enter frame #47 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 553 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #48 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 553 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #50 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 784 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #51 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 784 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 5061 found 0000000006322100

dissect_ssl enter frame #55 (already visited) conversation = 0000000007071880, ssl_session = 0000000000000000 record: offset = 0, reported_length_remaining = 401 dissect_ssl3_record: content_type 23 Application Data association_find: TCP port 8003 found 0000000000000000 association_find: TCP port 5061 found 0000000006322100 dissect_ssl3_record decrypted len 380 decrypted app data fragment: ACK sip:[email protected]:5061;transport=TLS SIP/2.0

Via: SIP/2.0/TLS 10.0.0.172:5062;branch=z9hG4bK1967379695

From: <sip:[email protected]:5061>;tag=607491329

To: <sip:[email protected]:5061>;tag=as3435967b

Call-ID: [email protected]

CSeq: 2 ACK

Contact: <sip:[email protected]:5062;transport=TLS>

Max-Forwards: 70

User-Agent: Yealink SIP-T28P 2.61.0.70

Content-Length: 0

dissect_ssl3_record found association 0000000006322100

asked 14 Aug ‘12, 07:02

jamicque's gravatar image

jamicque
6225
accept rate: 0%

edited 14 Aug ‘12, 07:52

grahamb's gravatar image

grahamb ♦
19.8k330206


One Answer:

1

It looks like your capture mechanism is creating duplicate entries for the server packets, this disrupts decryption. You can either use "editcap -d" to remove the duplicates or you can use "Edit -> Ignore ..." in Wireshark to ignore the duplicates and get decryption working. And of course you should check your capture mechanism to see whether you can make it stop generating duplicates :-)

answered 15 Aug '12, 00:53

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thx SYN-bit ignoring those packet really solved the problem I'm wondering why these packet have occurred. The server is running on vserver, and the host have interface bonding - this can be the problem - I will try to work it out - thx!.

BTW is there any way in wireshark to automatically ignore all duplicates?

(15 Aug '12, 12:55) jamicque

BTW is there any way in wireshark to automatically ignore all duplicates?

No, editcap would be your best best in de-duplicating

(15 Aug '12, 15:09) SYN-bit ♦♦