Re: [SR-Users] [OpenSIPS-Users] TLS SIP packet tracing and visualization

Hello fellows, after some experimentation with various tools, I come out with a little shell tool that maybe can be useful to you too. It can only work with non-forward secrecy ciphers, obviously, and only if is started before the client do the initial TLS handshake (eg, just restart the client). Forward secrecy cannot be decrypted after fact, so don't waste effort. An example of ciphers that can be decrypted are the "AES256-SHA" openssl cipher group. You can use ssldump to check what cipher is used by serverhello. Enjoy, make it better, and share it :) #!/bin/bash # brought to you by Giovanni Maruzzelli # SERVERIP="192.168.1.150" SERVERPORT="5061" PRIVKEY="/etc/certs/privkey.pem" STDERR2DEVNULL=" 2>/dev/null " REGEX="notyet" if [ -z "$1" ]; then REGEX="\\\.*" else REGEX="$1" fi FILTER="ssl.app_data and sip matches" FILTER2="$FILTER \"$REGEX\"" FILTER3="'$FILTER2'" ARGUMENT="-i 1 -Y $FILTER3 -E header=y -T fields -e frame.number -e frame.time -e frame.time_delta_displayed -e ip.src -e ip.dst -e sip.Status-Line -e sip.Request-Line -e sip.msg_hdr -l -d tcp.port\=\=5061,sip -o \"ssl.keys_list: $SERVERIP,$SERVERPORT,sip,$PRIVKEY\" $STDERR2DEVNULL | sed -u 's/\t/\n/g' | sed -u '/^$/d' | sed -u 's/^[0-9]*$/\n==&==============================/g'" echo "" echo "NB: if it do not works, edit script so that STDERR2DEVNULL=\" \" and try again" echo "" echo "NB: remember to quote and escape match patterns, using triple slash" echo " eg, for matching 1010(a)pbx.example.com, use \" 1010(a)pbx.example.com\"" echo " eg, for matching anything, use \"\\\\\\.*\"" echo " eg, for matching *98, use \"\\\\\\*98\"" echo "USAGE: $0 \"\\\\\\*98(a)pbx.example.com\"" echo "" case "$1" in -help|--help|?) exit 0 ;; *) echo "THIS TIME WE'RE DOING:" echo "tshark $ARGUMENT" echo "" bash -c "tshark $ARGUMENT" ;; esac -- Sincerely, Giovanni Maruzzelli OpenTelecom.IT cell: +39 347 266 56 18