This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi there.

My Automation Testing Environment runs SRTP calls over H323. In this case only payload part of RTP packet is encrypted. (Not whole RTP packet as in case of SIP/TLS).

So if I'm Wiresharking the call, how do i actually know from its capture:

a) If payload is actually encrypted.

b) What encryption algorithm is used.

I read that DTMF can give an exact answer for those questions. Could you please expand a bit about that?

Thank you in advance.

asked 25 Jan '12, 15:03

evgeny1976's gravatar image

evgeny1976
1112
accept rate: 0%

edited 25 Jan '12, 15:05


First of all you have to be aware of the difference between signaling and media.

  • Signaling flows contain the control messages related to the call. Examples of such protocols are the H.323 family and SIP.
  • Media flows contain the media of a call. Speech, audio, video all are forms of media. These are usually transported using RTP.

In your description you seem to indicate that in the H.323 context only the RTP payload is encrypted, while in the SIP?TLS context the whole RTP packet is encrypted. This is not true.

As said above H.323 and SIP are signaling protocols, which may or may not run over encrypted connections. When looking at encrypting media streams, Secure RTP (SRTP) is the standard solution. But these are independent!

If you want to look at the encrypted state of your media session, you'll have to check the RFC. From there you can see that it's just the payload that's encrypted, but not the header. So it should be possible to analyze the RTP stream itself, although the payload should not be presentable according to the declared codec.

If you want to know which encryption is used, you'll have to dig into either the static configuration or the signaling protocol messages. There the security features are set or negotiated.

permanent link

answered 26 Jan '12, 01:21

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Hi

Thank you for your help...

Analising the payload of RTP packet, how can I tell either it is encripted or not?

(27 Jan '12, 03:37) evgeny1976

If you look how the SRTP framework encrypts RTP packets you'll see that you still have access to the payload type (PT) field. Using that you can try to interpret the payload data, play out the media though the applicable code. If it's unencrypted you will be able to, otherwise you won't.

(27 Jan '12, 04:12) Jaap ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×11
×9

question asked: 25 Jan '12, 15:03

question was seen: 3,794 times

last updated: 27 Jan '12, 04:12

p​o​w​e​r​e​d by O​S​Q​A