This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Cannot playback audio from RTP stream using G.711

0

I have captured a VoIP call using RTP with G.711 codec. I have tried using Wireshark to playback the audio, but all I hear is static.

Here is a link to the capture file:

https://drive.google.com/file/d/0B80gG9wZvGF0X0NPb2dnemtYMzA/view?usp=sharing

At first, I thought SRTP was being used, but Wireshark's RTP dissector does not detect SRTP and the encryption method (AES). I have done the following in Wireshark:

  1. Telephony -> RTP -> Show All Streams, then I save the Payload as a .AU file
  2. Tried decoding with a G.729 codec (in case the codec shown by Wireshark was incorrect)
  3. Saved the file as a .RAW file and used a sound processing program (SoX) to create an audio file

Any recommendations?

asked 14 Jul '15, 07:06

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%

2 Answers:

1

I'm not sure there really is a general rule for that - at my previous job we sometimes used SIP/TLS with plain RTP, and at other places we used unencrypted SIP (over UDP or TCP) with SRTP.

One way to tell your capture actually contains SRTP is that the RTP payload was too big - normal G.711 is encoded in multiples of 80 bytes (each 80 bytes representing 10ms of audio time). Since your "RTP" packet payload was 164 bytes, there were 4 extra bytes - which are likely a 32-bit SRTP authentication hash tag (i.e., HMAC_SHA1_32).

answered 14 Jul '15, 11:21

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

Just for completeness:

G.711 frame size = multiple of 80 bytes

G.729 frame size = multiple of 10 bytes

(14 Jul '15, 14:07) Amato_C

0

The fact that the preceeding TCP stream goes to port 5061 leads me to believe this is SRTP encrypted G.711 encoded speech. Unless you can decrypt the call setup in the TCP stream, you won't be able to get the required keys for the SRTP session.

answered 14 Jul '15, 09:54

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

@Jaap - Would it be fair to say that whenever encrypted SIP is used (SIP-TLS), then SRTP is also used? I am trying to find a general rule.

(14 Jul '15, 10:21) Amato_C

@Hadriel - So I reexamined my RTP captures using G.711 codec and noticed that your answer provides a great way to determine if SRTP is being used when G.711 coded is implemented:

if <rtp-payload> mod 80 != 0, then SRTP

Can you change your comment to an answer so I can select it as the answer?

Thanks again!

(14 Jul '15, 12:56) Amato_C

It's a common combination. There's little use doing one, but not the other, other than for testing maybe.

As for the rule: that works ... unless the optional authentication tag is not included. (SDES: UNAUTHENTICATEDS_SRTP). So there's no other definitive way to tell unless you look at the SDP (which is encrypted in your SIP/TLS stream)

(14 Jul '15, 22:50) Jaap ♦