Decrypting SRTP stream from a PCAP
Note: This is an advanced document for advanced users able to compile open source software in a Linux operating system and knowledge of packet capture analysis, SIP/SDP and SRTP. Sansay Support does not support any issues setting up this kind of environment or problems following this procedure.
This document is to illustrate the steps and requirements to set up a host running Linux ubuntu or CentOS to decrypt SRTP packet stream, which is encrypted with particular cipher, as well as authentication tag at the end of each packet, such that the SRTP can be “restored” to an RTP stream, and be playable using popular utilities like Wireshark.
Setup for libsrtp:
From the terminal window, run the following command to download the libsrtp package:
- git clone https://github.com/cisco/libsrtp
or downloade package in <libsrtp>.tar.gz format and untar it:
- tar xzvf <libsrtp>.tar.gz
- change to the expanded directory ~/libsrtp
build the executable:
- ./configure
- make
What’s needed to run libsrtp
The executable, rtp_decoder, converts (decrypts) the SRTP packets in pcap file into a text base output. To convert the text base output back to the pcap format, a Wireshark utility “text2pcap” can be used. Of course, the decryption requires the crypto cipher and key. They usually are available from the SDP portion of SIP in the format like these:
a=crypto:3 AES_CM_128_HMAC_SHA1_80 inline:pSqmhCCRVyF2/FUF8BrITZCXdljkOlpb0QuJlIYD
a=crypto:3 AES_CM_128_HMAC_SHA1_80 inline:8O60Hwzlgy5QLtn6YuevzuJJ8Qivt3EgKYKD408a
Using the following command to convert SRTP to RTP:
./rtp_decoder -a -t 10 -s AES_CM_128_HMAC_SHA1_80 -b pSqmhCCRVyF2/FUF8BrITZCXdljkOlpb0QuJlIYD < ../../phone.com_SRTP_172.16.187.32_to_72.1.47.173.pcap | text2pcap -t "%M:%S." -u 10000,10002 - - > ../../phone.com_SRTP_172.16.187.32_to_72.1.47.173_decoded.pcap
where “-t 10” is the auth tag size, if AES_CM_128_HMAC_SHA1_32 is used, then use “-t 4”
“-u 10000, 10002” are the port numbers to be used as source and destination UDP ports
When the command is completed, the terminal screen will have as many entries as the packets being written to the output PCAP file and a total count like below.
....
Wrote packet of 214 bytes.
Wrote packet of 214 bytes.
Read 27621 potential packets, wrote 27621 packets (6352854 bytes).
Not Working?
If the supplied cipher and key are correct but the rtp_decode command yields no output packet (0), like below:
Using libsrtp2 2.3.0-pre [0x2030000]
Input from: Standard input
Output to: Standard output
Output format: PCAP
Generate dummy Ethernet header: Protocol: 0x800
Generate dummy IP header: Protocol: 17
Generate dummy UDP header: Source port: 10000. Dest port: 10002
security services: confidentiality message authentication
setting tag len 10
set master key/salt to a52aa6842091572176fc5505f01ac84d/90977658e43a5a5bd10b89948603
Starting decoder
Read 0 potential packets, wrote 0 packets (24 bytes).
it’s possible that the SRTP pcap file was captured without specifying the interface for capture, this can usually be seen in the Wireshark decode showing “Linux cooked capture” in the ethernet/MAC layer section. The “Linux cooked capture” has size of 16 bytes in ethernet header section as opposed to 14 bytes in the one with source and destination MACs and protocol. In this case, the ethernet headers in the captured file need to be modified for rtp_decoder to work.
A utility called “tcpreplay” can be used to serve the purpose.
Setting Up tcpreplay:
For Ubuntu, using the following command:
- sudo apt-get install tcpreplay
For CentOS, there’s no yum repository (unless in CentOS 7), so use the following commands to download the <tcpreplay>.tar.gz
to untar the file:
- tar xvfz tcpreplay-3.4.4.tar.gz
to build:
- cd tcpreplay-3.4.4
- ./configure --enable-dynamic-link
- make
After the build is completed, the command to convert the ethernet header from the input file (-i) to the output file (-o):
- tcpreplay-3.4.4/src/tcprewrite --dlt=enet --enet-dmac=52:54:00:11:11:11 --enet-smac=52:54:00:22:22:22 -i testpcap/phone.com_SRTP_72.1.47.173_to_172.16.187.32.pcap -o testpcap/sll_72.pcap
Then use the output file as the input for the rtp_decoder command.