Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3067
Views
5
Helpful
3
Replies

Decrypting SIP over TLS packets between AS-SIP endpoint and CUCM 10.5 in Wireshark??

jashtar2015
Level 1
Level 1

‎11-10-2015 03:50 PM - edited ‎03-17-2019 04:51 AM

I have a Cisco AS-SIP phone and CUCM 10.5. I would like to decrypt the SIP (over TLS) packets that are exchanged between my CUCM 10.5 server and the AS-SIP phone. 

How is this done? Is there a guide on how to do this ?

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Nadeem Ahmed
Cisco Employee
Cisco Employee

‎11-10-2015 04:54 PM

  • Start Wireshark and open the network capture
  • From the top menu select Edit > Preferences.
  • When the Preferences window opens, expand Protocols
  • Scroll down and select SSL.
  • In the space labeled RSA keys list, provide the following information in the format <ip>,<port>,<protocol>,<key_file_name>.
Where:
<ip> is the IP Address of the server / appliance with the private key
<port> is usually 5061 for SIP TLS
<protocol> is tls
<key_file_name> is the location and file name of the private key (the one your created at the first step)

  • Press Apply
  • Now you should be able to see the TLS+SRTP calls in your trace

Br,

Nadeem

PS:Please rate all useful post.

Br, Nadeem Please rate all useful post.

jashtar2015
Level 1
Level 1
In response to Nadeem Ahmed

‎11-10-2015 05:24 PM

By "be able to see the TLS+SRTP" I assume you mean "be able to see the decrypted TLS" ?

The guide you outlined is actually the one I followed when I googled for this topic. However, I can't get it to work. The list of different certificates on CUCM is long and I'm not sure which certificate to pick. When I go into my Cisco phone's Security settings (CTL FILE) I see that CAPF server is defined as 'CAPF-01b24746' and I was able to find a certificate with the same name in the CUCM certificate list, so that's the one I picked....but again...it doesn't work!

See attached screenshots. What am I doing wrong? As you'll notice the Wireshark version (1.12.8) I'm using has a different UI for the SSL settings and the SSL logfile states:

Wireshark SSL debug log
ssl_load_key: can't import pem data: Base64 unexpected header error.

Also, I don't know the password/pre-shared key for the certificate (if there is one??) I got from the CUCM server.

I am interested in seeing the decrypted SIP messages and RTP payloads in Wireshark.

Preview file
274 KB
Preview file
616 KB
0 Helpful

Adportas
Level 1
Level 1

‎12-21-2017 02:03 PM

Hi,

I currently have a similar situation and i want to know if you can find the way to load the adequate file. Because i can't find them too

Thank's

Daniel

0 Helpful
Customers Also Viewed These Support Documents