This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have captured a VoIP call using RTP with G.711 codec. I have tried using Wireshark to playback the audio, but all I hear is static.

Here is a link to the capture file:

https://drive.google.com/file/d/0B80gG9wZvGF0X0NPb2dnemtYMzA/view?usp=sharing

At first, I thought SRTP was being used, but Wireshark's RTP dissector does not detect SRTP and the encryption method (AES). I have done the following in Wireshark:

  1. Telephony -> RTP -> Show All Streams, then I save the Payload as a .AU file
  2. Tried decoding with a G.729 codec (in case the codec shown by Wireshark was incorrect)
  3. Saved the file as a .RAW file and used a sound processing program (SoX) to create an audio file

Any recommendations?

asked 14 Jul '15, 07:06

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%


I'm not sure there really is a general rule for that - at my previous job we sometimes used SIP/TLS with plain RTP, and at other places we used unencrypted SIP (over UDP or TCP) with SRTP.

One way to tell your capture actually contains SRTP is that the RTP payload was too big - normal G.711 is encoded in multiples of 80 bytes (each 80 bytes representing 10ms of audio time). Since your "RTP" packet payload was 164 bytes, there were 4 extra bytes - which are likely a 32-bit SRTP authentication hash tag (i.e., HMAC_SHA1_32).

permanent link

answered 14 Jul '15, 11:21

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

Just for completeness:

G.711 frame size = multiple of 80 bytes

G.729 frame size = multiple of 10 bytes

(14 Jul '15, 14:07) Amato_C

The fact that the preceeding TCP stream goes to port 5061 leads me to believe this is SRTP encrypted G.711 encoded speech. Unless you can decrypt the call setup in the TCP stream, you won't be able to get the required keys for the SRTP session.

permanent link

answered 14 Jul '15, 09:54

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

@Jaap - Would it be fair to say that whenever encrypted SIP is used (SIP-TLS), then SRTP is also used? I am trying to find a general rule.

(14 Jul '15, 10:21) Amato_C

@Hadriel - So I reexamined my RTP captures using G.711 codec and noticed that your answer provides a great way to determine if SRTP is being used when G.711 coded is implemented:

if <rtp-payload> mod 80 != 0, then SRTP

Can you change your comment to an answer so I can select it as the answer?

Thanks again!

(14 Jul '15, 12:56) Amato_C

It's a common combination. There's little use doing one, but not the other, other than for testing maybe.

As for the rule: that works ... unless the optional authentication tag is not included. (SDES: UNAUTHENTICATEDS_SRTP). So there's no other definitive way to tell unless you look at the SDP (which is encrypted in your SIP/TLS stream)

(14 Jul '15, 22:50) Jaap ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×89
×25

question asked: 14 Jul '15, 07:06

question was seen: 6,081 times

last updated: 14 Jul '15, 22:50

p​o​w​e​r​e​d by O​S​Q​A