This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can 802.11 from AirPcap Be Decoded To SIP/RTP?

0

Testing mobile apps which make phone calls using wifi connection, encountered a problem with audio quality and excessive delay on certain phones. Captured traffic between mobile phone and wifi router using AirPcap, but can not find a way to Decode As SIP/RTP. All packets shown as 802.11 protocol naturally.

Is there a way to decode the wifi packets into the SIP and RTP used for the VoIP call?

asked 30 Aug '13, 09:35

BobD8487's gravatar image

BobD8487
1222
accept rate: 0%


One Answer:

0

Is there a way to decode the wifi packets into the SIP and RTP used for the VoIP call?

Yes, but if they were captured on a "protected" network, using WEP or WPA/WPA2 encryption, you will have to decrypt them.

It's also possible configure AirPcap adapters to do the decryption for you when capturing; see the "Adding Keys: Wireless Toolbar" of the page I linked to. That won't handle an existing capture, however, it will only handle captures you make after you add the passwords.

Also, pay attention to the "Gotchas" section.

answered 30 Aug '13, 13:15

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks, Guy. But you are such a tease. :-) You tell me "Yes" then do not tell me how it would be done. The AirPcap only does WEP so I would have to handle the WPA2 decryption within Wireshark except that I temporarily disabled my encryption to take the trace, so there is nothing to decrypt...except the 802.11 packets. I need to see SIP, and most importantly, RTP. If you can embelish on your "Yes" answer to tell me how this is done, I would very much appreciate it.

btw - I would have expected to be able to use the Wireshark Analyze>Decode As option, however this option is grayed out.

(30 Aug '13, 16:38) BobD8487

I need to see SIP, and most importantly, RTP.

If you're not seeing IP and TCP/UDP headers for the traffic you believe to be SIP and/or RTP, then your traffic is probably encrypted at the 802.11 layer, whether you believe you disabled that decryption or not (i.e., you didn't).

If you're seeing IP and TCP/UDP headers, you should be able to use Decode As to decode the packets as SIP and/or RTP.

(30 Aug '13, 21:00) Guy Harris ♦♦

Thanks, Guy. That must be it. I turned off the WPA2 encryption, but there must be something else turned on which is encrypting the data. I'll have a look through my router settings and see if there is something I missed. I will also go through the decryption section of this wiki to see if it mentions another layer I may have missed. Worst case I turn it back on, then decrypt in Wireshark (which is what I was trying to avoid thinking it was simpler...which was obviously not the case).

(04 Sep '13, 15:29) BobD8487