[OpenSIPS-Users] TLS SIP packet tracing and visualization

Giovanni Maruzzelli gmaruzz at gmail.com
Tue May 2 10:52:14 EDT 2017


For a cut and paste ready version, that has the correct carriage returns
(mangled by mail), check it in FreeSWITCH documentation:

https://freeswitch.org/confluence/display/FREESWITCH/Packet+Capture#PacketCapture-TLSwithsharka

-giovanni

On 2 May 2017 at 16:26, Giovanni Maruzzelli <gmaruzz at gmail.com> wrote:

> Hello fellows,
>
> after some experimentation with various tools, I come out with a little
> shell tool that maybe can be useful to you too.
>
> It can only work with non-forward secrecy ciphers, obviously, and only if
> is started before the client do the initial TLS handshake (eg, just restart
> the client). Forward secrecy cannot be decrypted after fact, so don't waste
> effort.
>
> An example of ciphers that can be decrypted are the "AES256-SHA" openssl
> cipher group. You can use ssldump to check what cipher is used by
> serverhello.
>
> Enjoy, make it better, and share it :)
>
>
> #!/bin/bash
> # brought to you by Giovanni Maruzzelli
> #
> SERVERIP="192.168.1.150"
> SERVERPORT="5061"
> PRIVKEY="/etc/certs/privkey.pem"
> STDERR2DEVNULL=" 2>/dev/null "
> REGEX="notyet"
>
> if [ -z "$1" ]; then
>         REGEX="\\\.*"
> else
>         REGEX="$1"
> fi
> FILTER="ssl.app_data and sip matches"
> FILTER2="$FILTER \"$REGEX\""
> FILTER3="'$FILTER2'"
> ARGUMENT="-i 1 -Y $FILTER3 -E header=y -T fields -e frame.number -e
> frame.time -e frame.time_delta_displayed -e ip.src -e ip.dst -e
> sip.Status-Line -e sip.Request-Line -e sip.msg_hdr -l -d
> tcp.port\=\=5061,sip  -o \"ssl.keys_list: $SERVERIP,$SERVERPORT,sip,$PRIVKEY\"
> $STDERR2DEVNULL | sed -u 's/\t/\n/g' | sed -u '/^$/d' | sed -u
> 's/^[0-9]*$/\n==&==============================/g'"
>
> echo ""
> echo "NB: if it do not works, edit script so that STDERR2DEVNULL=\" \" and
> try again"
> echo ""
> echo "NB: remember to quote and escape match patterns, using triple slash"
> echo "    eg, for matching 1010 at pbx.example.com, use \"
> 1010 at pbx.example.com\""
> echo "    eg, for matching anything, use \"\\\\\\.*\""
> echo "    eg, for matching *98, use \"\\\\\\*98\""
> echo "USAGE: $0 \"\\\\\\*98 at pbx.example.com\""
> echo ""
>
>
> case "$1" in
>         -help|--help|?)
>         exit 0
>         ;;
> *)
>         echo "THIS TIME WE'RE DOING:"
>         echo "tshark $ARGUMENT"
>         echo ""
>         bash -c "tshark $ARGUMENT"
>         ;;
> esac
>
>
>
> --
>
> Sincerely,
>
> Giovanni Maruzzelli
> OpenTelecom.IT
> cell: +39 347 266 56 18
>



-- 

Sincerely,

Giovanni Maruzzelli
OpenTelecom.IT
cell: +39 347 266 56 18
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20170502/d32a25a9/attachment.html>


More information about the Users mailing list