This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have a Polycom phone that is on the public internet, and is registered SIP/UDP to my Metaswitch. Wiresharking a mirrored port was showing normal SIP and RTP traffic.

THEN- someone got into the phone via web, deleted the SIP Info so the phone was no longer registered, and started blasting the IP with TLS traffic, TLSv1 Client Hello packets, change sipher, and app data packets.

I updated the SIP reg info, got the phone registered again and updated the web PW, the phone does work, however now all I see on wireshark is the TLS traffic, I dont see any SIP or RTP traffic.

Why can't I see the SIP/RTP traffic??

asked 24 Mar '15, 08:28

GAS's gravatar image

GAS
6111
accept rate: 0%

edited 29 Mar '15, 19:03

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335195


Probably the "someone" has also enabled SSL/TLS on the phone. Maybe you'd better factory default it and reinstall firmware in case the "someone" installed a custom firmware version.

permanent link

answered 24 Mar '15, 13:16

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I looked at the phone, TLS is not enabled, it still has the Polycom firmware on it. I can run a call trace(in my switch) on the call to the phone and see SIP traffic to and from the phone, but its not showing up on wireshark.

Thanks

(24 Mar '15, 13:39) GAS

Still looks like the attacker tried to do more than just 'delete the SIP info', especially since they followed up with specific TLS traffic. Doesn't sound like some random script kiddie to me.

Also you didn't specify which 'IP' was blasted with TLS traffic. Be specific on your interfaces please.

(25 Mar '15, 04:04) Jaap ♦

The public IP of the phone is getting all the TLS traffic, from a Europena IP address. I guess whats odd to me is that the phone is working (they made a 1.5 hour call yesterday), I see SIP traffic in the call trace in my switch, but no SIP or RTP traffic on wireshark.

I restarted wireshark, made sure it in promisc mode, etc.

(25 Mar '15, 06:44) GAS

What do you see on the Wireshark capture? Any other SIP clients, just not yours? Nothing at all? A different VLAN? Is the mirror still intact, correctly configured? How long ago did you have a working SIP/RTP traffic capture of your phone?

(25 Mar '15, 09:39) Jaap ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×3

question asked: 24 Mar '15, 08:28

question was seen: 1,306 times

last updated: 29 Mar '15, 19:03

p​o​w​e​r​e​d by O​S​Q​A