[OpenSIPS-Users] TLS SIP packet tracing and visualization

Giovanni Maruzzelli gmaruzz at gmail.com
Tue May 9 11:10:39 EDT 2017


On 9 May 2017 at 15:18, Bogdan-Andrei Iancu <bogdan at opensips.org> wrote:

> Thank you Giovanni, that is a useful tool - we will document it in the
> OpenSIPS TLS tutorial, so other can benefit ;)
>
>

Glad about it!
Be sure to get it from https://freeswitch.org/confluence/display/FREESWITCH/
Packet+Capture#PacketCapture-TLSwithsharka , is the latest version with a
couple fixes.

-giovanni




> Many thanks,
>
> Bogdan-Andrei Iancu
>   OpenSIPS Founder and Developer
>   http://www.opensips-solutions.com
>
> OpenSIPS Summit May 2017 Amsterdam
>   http://www.opensips.org/events/Summit-2017Amsterdam.html
>
> On 05/02/2017 05:52 PM, Giovanni Maruzzelli wrote:
>
> For a cut and paste ready version, that has the correct carriage returns
> (mangled by mail), check it in FreeSWITCH documentation:
>
> https://freeswitch.org/confluence/display/FREESWITCH/
> Packet+Capture#PacketCapture-TLSwithsharka
>
> -giovanni
>
> On 2 May 2017 at 16:26, Giovanni Maruzzelli <gmaruzz at gmail.com> wrote:
>
>> Hello fellows,
>>
>> after some experimentation with various tools, I come out with a little
>> shell tool that maybe can be useful to you too.
>>
>> It can only work with non-forward secrecy ciphers, obviously, and only if
>> is started before the client do the initial TLS handshake (eg, just restart
>> the client). Forward secrecy cannot be decrypted after fact, so don't waste
>> effort.
>>
>> An example of ciphers that can be decrypted are the "AES256-SHA" openssl
>> cipher group. You can use ssldump to check what cipher is used by
>> serverhello.
>>
>> Enjoy, make it better, and share it :)
>>
>>
>> #!/bin/bash
>> # brought to you by Giovanni Maruzzelli
>> #
>> SERVERIP="192.168.1.150"
>> SERVERPORT="5061"
>> PRIVKEY="/etc/certs/privkey.pem"
>> STDERR2DEVNULL=" 2>/dev/null "
>> REGEX="notyet"
>>
>> if [ -z "$1" ]; then
>>         REGEX="\\\.*"
>> else
>>         REGEX="$1"
>> fi
>> FILTER="ssl.app_data and sip matches"
>> FILTER2="$FILTER \"$REGEX\""
>> FILTER3="'$FILTER2'"
>> ARGUMENT="-i 1 -Y $FILTER3 -E header=y -T fields -e frame.number -e
>> frame.time -e frame.time_delta_displayed -e ip.src -e ip.dst -e
>> sip.Status-Line -e sip.Request-Line -e sip.msg_hdr -l -d
>> tcp.port\=\=5061,sip  -o \"ssl.keys_list: $SERVERIP,$SERVERPORT,sip,$PRIVKEY\"
>> $STDERR2DEVNULL | sed -u 's/\t/\n/g' | sed -u '/^$/d' | sed -u
>> 's/^[0-9]*$/\n==&==============================/g'"
>>
>> echo ""
>> echo "NB: if it do not works, edit script so that STDERR2DEVNULL=\" \"
>> and try again"
>> echo ""
>> echo "NB: remember to quote and escape match patterns, using triple slash"
>> echo "    eg, for matching 1010 at pbx.example.com, use \"
>> 1010 at pbx.example.com\""
>> echo "    eg, for matching anything, use \"\\\\\\.*\""
>> echo "    eg, for matching *98, use \"\\\\\\*98\""
>> echo "USAGE: $0 \"\\\\\\*98 at pbx.example.com\""
>> echo ""
>>
>>
>> case "$1" in
>>         -help|--help|?)
>>         exit 0
>>         ;;
>> *)
>>         echo "THIS TIME WE'RE DOING:"
>>         echo "tshark $ARGUMENT"
>>         echo ""
>>         bash -c "tshark $ARGUMENT"
>>         ;;
>> esac
>>
>>
>>
>> --
>>
>> Sincerely,
>>
>> Giovanni Maruzzelli
>> OpenTelecom.IT
>> cell: +39 347 266 56 18
>>
>
>
>
> --
>
> Sincerely,
>
> Giovanni Maruzzelli
> OpenTelecom.IT
> cell: +39 347 266 56 18
>
>
> _______________________________________________
> Users mailing listUsers at lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>


-- 

Sincerely,

Giovanni Maruzzelli
OpenTelecom.IT
cell: +39 347 266 56 18
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20170509/4e706831/attachment-0001.html>


More information about the Users mailing list