Hi all, does anyone was able to use sngrep (with -k option) to decrypt TLS connections? I'am doing what help says; used private key is the correct one; but no traffic is seen on sngrep. If i use not ecrypted call i can see everything, so sngrep is working good.
Any hint?
regards
-- Sent from: http://sip-router.1086192.n5.nabble.com/Users-f3.html
As I remember sngrep doesn't work with TLS 1.3, so may be it is your case.
On Tue, 8 Dec 2020, 08:01 Agiftel, agiftel@gmail.com wrote:
Hi all, does anyone was able to use sngrep (with -k option) to decrypt TLS connections? I'am doing what help says; used private key is the correct one; but no traffic is seen on sngrep. If i use not ecrypted call i can see everything, so sngrep is working good.
Any hint?
regards
-- Sent from: http://sip-router.1086192.n5.nabble.com/Users-f3.html
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hello,
there were some limitations in sngrep for capturing tls traffic:
* https://github.com/irontec/sngrep/issues/112
Not sure if there was any work afterwards to improve. The best place to ask in on sngrep project.
Anyhow, I want to add that if you use Kamailio, then you can load sipdump module and get the traffic stored in pcap files -- it requires master branch:
* https://www.kamailio.org/docs/modules/devel/modules/sipdump.html#sipdump.p.m...
For stable branches, sipdump can store the traffic in text files.
Cheers, Daniel
On 08.12.20 08:37, Yuriy Gorlichenko wrote:
As I remember sngrep doesn't work with TLS 1.3, so may be it is your case.
On Tue, 8 Dec 2020, 08:01 Agiftel, <agiftel@gmail.com mailto:agiftel@gmail.com> wrote:
Hi all, does anyone was able to use sngrep (with -k option) to decrypt TLS connections? I'am doing what help says; used private key is the correct one; but no traffic is seen on sngrep. If i use not ecrypted call i can see everything, so sngrep is working good. Any hint? regards -- Sent from: http://sip-router.1086192.n5.nabble.com/Users-f3.html <http://sip-router.1086192.n5.nabble.com/Users-f3.html> _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org <mailto:sr-users@lists.kamailio.org> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
There are two options 1- use SIMPDUMP module to dup all SIP packets in Log file SIPDUMP Module
| | | | SIPDUMP Module
|
|
|
2- use SIPTRACE module and broadcast SIP traffic from kamailio to any local port and then capture through sngrep -p BROACST_PORT SipTrace Module
| | | | SipTrace Module
|
|
|
loadmodule "siptrace.so" # check IP and port of your capture nodemodparam("siptrace", "duplicate_uri", "sip:127.0.0.1:9060")modparam("siptrace", "hep_mode_on", 0)modparam("siptrace", "trace_to_database", 0)modparam("siptrace", "trace_flag", 22)modparam("siptrace", "trace_on", 1)# modparam("siptrace", "hep_version", 3)modparam("siptrace", "xheaders_write", 1) during code use setflag(22); sip_trace(); This will broadcast SIP packet to local 9060 port and u can capture that through sngrep. I hope it will help.
On Tuesday, December 8, 2020, 01:08:44 PM GMT+5, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
there were some limitations in sngrep for capturing tls traffic:
* https://github.com/irontec/sngrep/issues/112
Not sure if there was any work afterwards to improve. The best place to ask in on sngrep project.
Anyhow, I want to add that if you use Kamailio, then you can load sipdump module and get the traffic stored in pcap files -- it requires master branch:
*https://www.kamailio.org/docs/modules/devel/modules/sipdump.html#sipdump.p.m...
For stable branches, sipdump can store the traffic in text files.
Cheers, Daniel
On 08.12.20 08:37, Yuriy Gorlichenko wrote:
As I remember sngrep doesn't work with TLS 1.3, so may be it is your case. On Tue, 8 Dec 2020, 08:01 Agiftel, agiftel@gmail.com wrote:
Hi all, does anyone was able to use sngrep (with -k option) to decrypt TLS connections? I'am doing what help says; used private key is the correct one; but no traffic is seen on sngrep. If i use not ecrypted call i can see everything, so sngrep is working good.
Any hint?
regards
-- Sent from: http://sip-router.1086192.n5.nabble.com/Users-f3.html
_______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________Kamailio (SER) - Users Mailing Listsr-users@lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users -- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda Funding: https://www.paypal.me/dcmierla _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Thank Daniel and me.projects@yahoo.com. I used SIPDUMP and works perfectly!
regards
-- Sent from: http://sip-router.1086192.n5.nabble.com/Users-f3.html
Hi again, I sang victory too soon :-(
It's working perfectly if SIP calls are UDP or TCP based. If are TLS, very strange thing, i can see all trace inside file .data created by siptrace but if I open that file using sngrep, TLS calls are never displayed. Any idea? If not, anyway, I would like to ask you what is the best way to troubleshoot TLS calls? What do you use guys?
Best regards
-- Sent from: http://sip-router.1086192.n5.nabble.com/Users-f3.html
Hi,
you can also setup an Homer docker instance and use Kamailio as active hep client (homer encapsulation protocoll).
https://github.com/sipcapture/homer/wiki So Kamailio sends copies of the signaling traffic via hep to Homer and you can investigate it.
Cheers Karsten Horsmann
Agiftel agiftel@gmail.com schrieb am Sa., 12. Dez. 2020, 17:30:
Hi again, I sang victory too soon :-(
It's working perfectly if SIP calls are UDP or TCP based. If are TLS, very strange thing, i can see all trace inside file .data created by siptrace but if I open that file using sngrep, TLS calls are never displayed. Any idea? If not, anyway, I would like to ask you what is the best way to troubleshoot TLS calls? What do you use guys?
Best regards
-- Sent from: http://sip-router.1086192.n5.nabble.com/Users-f3.html
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Thank you for advice! Now I can see also TLS calls (using HOMER 7 on docker)
Regards
-- Sent from: http://sip-router.1086192.n5.nabble.com/Users-f3.html
Hello,
the file .data has the content in plain text, is not the pcap format expected by sngrep. In master branch (to become the future major release), the sipdump module can be configured to write also .pcap file, then you can see its content with sngrep like:
tail -c +1 -f /tmp/kamailio-sipdump-xyz.pcap | sngrep -I -
Probably I should make a news/blog post about what sipdump can do, to be easier to use it.
An extra tip, which I haven't tried, but if you compile from sources, the sipdump module from master branch may just work in 5.4 version by overwriting its files.
Cheers, Daniel
On 12.12.20 11:22, Agiftel wrote:
Hi again, I sang victory too soon :-(
It's working perfectly if SIP calls are UDP or TCP based. If are TLS, very strange thing, i can see all trace inside file .data created by siptrace but if I open that file using sngrep, TLS calls are never displayed. Any idea? If not, anyway, I would like to ask you what is the best way to troubleshoot TLS calls? What do you use guys?
Best regards
-- Sent from: http://sip-router.1086192.n5.nabble.com/Users-f3.html
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-
Agiftel -
Daniel-Constantin Mierla -
Karsten Horsmann -
me.projects@yahoo.com -
Yuriy Gorlichenko