I am trying to decode SRTCP packets. I have the private key and specified it at Edit -> Preferences -> Protocols -> SSL. My SIP and RTP packets are decoding fine, but my RTCP packets are not. According to the Wiki page for RTCP (https://wiki.wireshark.org/RTCP) at the very bottom of the discussion, it is written, "SRT(C)P handling was recently added to both dissectors. (JaapKeuter)" so I am believing that Wireshark has the ability to SSL decode these packets.
My settings at Edit -> Preferences -> Protocols -> SSL -> RSA Keys List has the correct IP address, rtcp for protocol, and points to the private key. For port, I've tried our SIP/TLS port (we run on a non-standard port), 0, 32513 (the port on which SRTCP packets on this specific capture appear), but no matter what, they Sender Report isn't decrypted to where I can see it. Here's what I get:
Does anyone have decryption of SRTCP packets working? Ideas or advice for making this work?
asked 13 Oct '17, 06:41
edited 13 Oct '17, 06:49
You are aware the TLS and SRTP have little to do with each other, right?
In short they have nothing to to do with each other, while the long answer is that the signalling used for key exchange for the SRTP session may be accessible if the corresponding SDP exchange is accessible through the use of TLS decryption.
When this is not clear, consider the following. SIP is used for session control and SDP for the media session. When Secure RTP is involved, media key exchange has to take place, which can be done through SDP. This is only sensible if the key exchange itself is protected, eg. by (D)TLS. So having the option to decrypt SIP/TLS, and therefore SDP, gives you access to the media encryption keys. That is how this binds together.
This also tells you that it is a matter of using the media encryption keys to decrypt the SRTP and SRTCP packets. Well, Wireshark doesn't do that (yet). What is does do is being aware that the RTP and RTCP packets are encrypted and thus dissect the fields in these packets with that in fact in mind. They therefore also do not show decrypted data, since it is not capable of doing that right now.
answered 13 Oct '17, 08:56