How to decode SIP/TLS with Wireshark and Decrypting SRTP

2022.06.30

See encrypted SIP packets

IP-PBX that communicates with SIP may use UDP or may be encrypted with TCP/TLS.
If it’s encrypted, you can’t see it with Wireshark.

It is possible to visualize (decrypt) the encrypted SIP by obtaining the private key from the SIP server and loading it into Wireshark.
Useful for troubleshooting, etc.

You can also check SIP/TLS from the browser using Homer introduced below.

How to install Homer using yum command.
Homer is work on Web browser. It able to showing lists of CDRs and displaying SIP flow for each call. And you can see raw SIP packet for each call from browser.
cedarvalley.info
2023.07.02

Get private key

For Asterisk, it is in /etc/asterisk/keys/asterisk.key like this.

cat /etc/asterisk/keys/asterisk.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDJPR23Oc+riWUqolENmurMBnVAieuMEhVb0hBlm0qskPqH+OXl
Yto/lgZF9FPl0lGFKPPOUTVW8bOz4B4l7HEXUWp4nOGXVbdSN8qNsgE462FDrjwt
zH7wWGtD+18Nm7KtRc3Mr2w8AxTT9+VjUwRjj2zP7Quof0AQ8lo3oY4qzwIDAQAB
AoGAGnAfEU1VDTI1yk4c2+64XimTCfGUsohFqhSE9vRZ8SXy5B49Bc/g4G2zUUly
JEVnVFk2/qoIme2TMFSHYXAYwz3YvGuG20MsAnnjVlf1/0/OAZt8DPFGCsUO5I9j
:
:
Dl1jQWoamhsDqsUhKmpa88k9R7zorVFmxwJBALVM7vixEnG3I7JDT8VKnZqdkan4
jArCp6xu7TAWLGii2JiA8kXKrbTcZKpeFAVYRQNYajnbyXEU3g6QAM0LGEkCQCbK
ojNM1cAuyr6WpB+wmIkzVJ7EqqMVozrhYOo2enVI8HevOnQPjgg5p/rPRD4asXxU
v4+hgYcX0WLDQOlA5lsCQQDNfxyuNDNUZNaLkT71Yb4d9J6qtiXEdJpeWJeF6gRK
Pg1L0kWOL5tttAtlsDA12NVDTSn2C636+8xuMTJEqjJ3
-----END RSA PRIVATE KEY-----

Import key to Wireshark

Wireshark > Preferences…

Protocols >

Protocols > TLS > (Pre)-Master-Secret log filename
Set for private key.

Click for RSA keys list.

Click + and then add items as below.

・IP address :
・Port :
・Protocol : sip
・Key File : specify private key

See decoded SIP packets

The protocol that was TLSv1.2 before decryption is displayed as SIP.

A SIP REGISTER decrypted from TLSv1.2 is displayed.

You can see also call flow.

TwitterFacebookLinkedInHatenaPocketCopy Link