cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2632
Views
5
Helpful
3
Replies

Decrypting SIP over TLS packets between AS-SIP endpoint and CUCM 10.5 in Wireshark??

jashtar2015
Beginner
Beginner

I have a Cisco AS-SIP phone and CUCM 10.5. I would like to decrypt the SIP (over TLS) packets that are exchanged between my CUCM 10.5 server and the AS-SIP phone. 

How is this done? Is there a guide on how to do this ?

3 Replies 3

Nadeem Ahmed
Cisco Employee
Cisco Employee
  • Start Wireshark and open the network capture
  • From the top menu select Edit > Preferences.
  • When the Preferences window opens, expand Protocols
  • Scroll down and select SSL.
  • In the space labeled RSA keys list, provide the following information in the format <ip>,<port>,<protocol>,<key_file_name>.
Where:
<ip> is the IP Address of the server / appliance with the private key
<port> is usually 5061 for SIP TLS
<protocol> is tls
<key_file_name> is the location and file name of the private key (the one your created at the first step)

  • Press Apply
  • Now you should be able to see the TLS+SRTP calls in your trace

Br,

Nadeem

PS:Please rate all useful post.

Br, Nadeem Please rate all useful post.

By "be able to see the TLS+SRTP" I assume you mean "be able to see the decrypted TLS" ?

The guide you outlined is actually the one I followed when I googled for this topic. However, I can't get it to work. The list of different certificates on CUCM is long and I'm not sure which certificate to pick. When I go into my Cisco phone's Security settings (CTL FILE) I see that CAPF server is defined as 'CAPF-01b24746' and I was able to find a certificate with the same name in the CUCM certificate list, so that's the one I picked....but again...it doesn't work!

See attached screenshots. What am I doing wrong? As you'll notice the Wireshark version (1.12.8) I'm using has a different UI for the SSL settings and the SSL logfile states:

Wireshark SSL debug log
ssl_load_key: can't import pem data: Base64 unexpected header error.

Also, I don't know the password/pre-shared key for the certificate (if there is one??) I got from the CUCM server.

I am interested in seeing the decrypted SIP messages and RTP payloads in Wireshark.

Adportas
Beginner
Beginner

Hi,

I currently have a similar situation and i want to know if you can find the way to load the adequate file. Because i can't find them too

Thank's

Daniel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers