For security reasons, some customers may choose to use TLS for the SIP transport. TLS encrypts the SIP signaling messages, but a packet capture will not reveal their content. To troubleshoot this, the signaling messages must be decrypted.
The first step is to capture the call. The call can have legs over TLS, UDP or TCP. Also, the ports can be 5060 or 5061 for Kamailio or 5050 for Asterisk.
To capture all of them, run the following command:
tcpdump -nni any -s 0 port 5050 or port 5060 or port 5061 -w /usr/local/voipnow/admin/htdocs/tls.pcap |
Take the private key and save it on your PC in a filename.key file. It should look like this:
-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkahkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDLsm335w5i+BiY gg05NsBTR1ZTSbsMjkoprJoQ8KPxFvLGegwyWY+Fk25GmFCur7GfZYuYACXcU0H/ ... l7DtP+PYdC2Yz6lld8FO6LB6RgsZHnXlDj8yxhzeALDBRvZSt+of4iedEK1J+0pA zuqB/sOrM+e1J8z3vsF9kikZ -----END PRIVATE KEY---- |
Open Wireshark and go to Edit >> Preferences >> Protocols >> SSL >>Edit and do the exact setup you can see below. Use the file created earlier with the private key.
Now, Wireshark cannot decode the capture without the SSL handshake between the phone and the server included in the capture. The handshake looks like this:
This SSL handshake occurs during each phone reboot and following each TCP handshake.
At this point, the entire call flow should be visible.