This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

decrypting SIP packets sometimes not shown packets from/to endpoint

0

Hi All,

I have a problem when time to time wireshark decrypted only partial sip flow. And sometimes decrypted full flow. Such change in decryption happens randomly and I need to know what is wrong when wireshark can't decrypt full flow. For example on following capture sip session (call) started from 4418 packet - on this packet Originator sent INVITE to SIP PROXY but INVITE from SIP PROXY to Terminator wasn't decrypted. Another marked packet on this capture 2411 on which you can that messages from Terminator was decrypted successfully 15 seconds ago. alt text [link to picture]2

On the same capture I'm changed display filter to SSL and see that actually packets was captured but not decrypted:

alt text [link to picture]4

Packets 4423 and 4424 weren't decrypted. From SSL debug log:

  dissect_ssl enter frame #4423 (first time)
  conversation = 05EFD918, ssl_session = 05EFDE18
  record: offset = 0, reported_length_remaining = 1448
  need_desegmentation: offset = 0, reported_length_remaining = 1448

Can anybody suggest how to deal with this the problem? I'm using wireshark Version 1.10.3. Capturing with following tshark command:

C:\Program Files (x86)/Wireshark/tshark.exe -l -i 1 -w capture_eth1.pcap -a filesize:15000

Of course private key from certificate was imported to wireshark via wireshark GUI.

asked 30 Nov '13, 15:02

m2a0x's gravatar image

m2a0x
1112
accept rate: 0%

edited 30 Nov '13, 15:27