 Tom here from Orange Systems. We're going to talk about WireShark and SIP. There's a lot of fun you can have because WireShark has built in ways to decode SIP calls. And I want to cover how that works. And of course at the end we'll cover how to mitigate against that. And I just think it's kind of a fun technical dive into a couple of things I've talked about before and showing them, well, somewhat of a practical use if this is something you want in terms of sniffing out packets and seeing how it goes. It's also a fun learning exercise to learn how SIP protocol works and what you can glean from sniffing the packets. Before we dive into that, let's first. If you'd like to learn more about me and my company head over to LawrenceSystems.com. If you'd like to hire a short project, there's a hires button right at the top. If you'd like to help keep this channel sponsor-free and thank you to everyone who already has, there is a join button here for YouTube and a Patreon page. Your support is greatly appreciated. If you're looking for deals or discounts on products and services we offer on this channel, check out the affiliate links down below. They're in the description of all of our videos, including a link to our shirt store. We have a wide variety of shirts that we sell and new designs come out, well, randomly. So check back frequently. And finally, our forums. Forums.LauranceSystems.com is where you can have a more in-depth discussion about this video and other tech topics you've seen on this channel. Now back to our content. Not a prerequisite for this video, but I want to mention remote real-time packet capture with Wireshark and PF Sense is a video I've done previously. That's the methodology I'll be using. Capture packets anyway that you see fit. To me, this is the easy way to do it because I happen to have a PF Sense on my network and we're going to filter it for this particular device next to me. The device next to me is a Sangoma phone. And I'm just using standard SIP protocol because it's the most common protocol out there for the way things are transported. The server we're going to be using is not a free PBX server. We'll actually have this set up and these will be some future videos I do where you can set phones up, whatever SIP phone you'd like, directly with a VoIP MS account. This is our McTestFace account specifically that we're using. And so don't worry about any phone numbers and things I show. This is what we're always using McTest for is for testing because sometimes people see a number and they feel compelled to call it. That's perfectly fine. This is not a customer phone number. I don't know why you would call it. I don't know if I'll answer it if you do call it. Anyways, not to get off topic. But this is set up with the cloud NVR system using SIP, using VoIP MS. I have a review link to VoIP MS for those of you curious. And towards the end, we're going to cover call encryption and how to get around this and turning on call encryption, which of course is supported by VoIP MS for those wondering. And one last thing I'll mention, I'll leave an article here. This is one of the reasons that when you use SIP, because not every SIP device has support for call encryption, once you see what we can do without encryption, you may want to consider encryption. But it's also not as big of a deal as you might think because of the passwords that are being passed back and forth. Yes, SIP uses MD5 for password cracking. But this is why you use really long, random SIP passwords to help mitigate this problem of someone getting in there and potentially grabbing this traffic and pulling your password. I'll leave a link to this article. I'm not going to dive into the nuance, goes out of scope of this, but let's have the fun part and talk about how this is going to work. So here's our wire shark dash K dash I SSH root 3.1. There's our PF sense we're logging into, we're using TCP dump. It's attached to our LAN is on IGB zero. The host we're filtering for is only one host. Now the reason, and like I said, I have a reference video on this is I don't want all the noise on the network. I want just the noise that's related to this particular phone. And once again, we see the IP address of the phone. So let's go ahead and kick off that command here. And it's going to kick off wire shark and it's going to drop it right in listen mode. And not much going on. Let's make a phone call. So we're going to call my office. So you don't have to wonder what numbers I'm dialing or play games of DTF tones. So we're calling my main office number that I just dialed wrong. I think I sure did. So don't listen to those DTF tones. There we go. Didn't press the button. All right. Pretty simple. That was test one. Let's do one more test where I dial an extension. There we go. I set this extension up. You can hear some echo because it's canceling the noise cancellation. So it doesn't just you get the idea. Anyways, now we have data. We've watched all the data go across here. And now we can actually stop wire shark if we don't need to collect anymore. Go here. And hey, look, here is all the stuff. Here's our SIP. We've got a lot of good information here. We can see it going through. We can probably see the transport layer, McTest. All right, great. All these different statuses. What does all this mean? What are these RTP streams? Well, that's where wire shark becomes fun, and we can go right here to pipe calls. And there's our first call. Let's play it. And I'm going to turn the volume up on my laptop here so it should be able to pick up on a microphone and hit play. All right, let's try that other one where we actually press a lot more buttons. All right, you kind of see what happened here. We were able to dive into it, grab the stream, replay it back. And all I had to go to was telephony, pipe calls, and it plays them. Now, there's also a lot more you can, of course, do. You can follow the SIP statistics. We can pull this together. And one of the things that, so besides the fun that we just had in being able to easily play back a phone call, this is where you can dive into and use this through troubleshoot SIP problems you're having. This is one of the tools that we actually use, one where troubleshooting networks that, well, they have problems. This is the best way to describe it. Someone wants us to dive deep into something while your shark can help us go through, look for problems, look for what flows aren't working. My network's set up properly, so everything works properly. So it's not a big deal. By the way, in Keisha, wondering as this question comes up, this is all done with SIP NAT, which means there's no open ports on the firewall to make this happen. SIP NAT means it reaches out to register with the servers, which is, of course, supported by VoIP MS, to bring the registration back and no ports had to be opened. There's no special configuration in my PF Sense. Matter of fact, I've tested this by taking this phone to different places. It works through the majority of firewalls that we've goofed around and tested with without doing any port forwarding. I bring that up because some people ask me why you need port forwarding for SIP. And the answer is if you don't have a provider that properly supports SIP NAT, you'll need that. But back over to here, one of the other things you can see here is by following the SIP flows. Now, you're actually looking at the calls. Notice anything about these calls? 313-299-1503? Yes, that's our office numbers published on our website, so I didn't reveal any secrets here. But you're also diving into what step occurred for each piece so you can go back and look at those streams. This is what's important about when you're troubleshooting is being able to go back through here, look at what happened, and of course, maybe what didn't happen. And you do this by a comparison where you'll take a packet from a phone system by looking at them and go, okay, this one the call went through, but this other phone on the other office didn't. So you'll trace them, you'll do some compare and contrast here to go, all right, which one of these worked. But of course, I said I'd tell you how to fix this. So let's go ahead and close all this. I don't need to save any of these packets. And let's go and make changes to this system that allow it to be encrypted. Now, like I said, the password was passed through MD5. That is still going to be the case. But if we wrap this in a layer of encryption, it's going to be a little harder to trace. So go ahead and let's dive into that. Go over here to VoIPMS, and this is the sub account for Mr. McTest-Face, and McTest-Face needs encryption. So we go here, advanced. We just say, encrypt, zip, traffic to yes. We hit update account. I get a notice that it takes one minute for this to take effect. Cool. So not a problem there. They have an entire write-up pretty easy. You could click the question mark of how to set the settings for these accounts, how to do that. And then, of course, the notes of what you need to do. Now, there's so many different soft phones and PBXs. Let's talk about the options. I'm going to walk you through how to do it in Sangoma. But these instructions are kind of generic, of course, to apply to whatever you're doing, whatever type of SIP client you have. That being said, please note not all SIP clients will be able to support this. But the Sangoma phone does support this. Now, the first thing we do is we're going to change this from 5060 to 5061. So there we go. Then we got to go here and we change it to TLS. And this is going to be the transport layer security that we're implementing. So those are two changes that need to be done there. Then we'll go ahead and hit save and set. Oops, it wasn't logged in because it timed out. Yes, it's all it's a default password. Someone's going to go, Tom, you left it at default. Yeah, it's a lab demo. If you don't know, the Sangoma default passwords are 22222. Anyways, six twos if I didn't say enough. So TLS 5061, make sure it's save and set, account, advanced. One more thing we need to set here. Go down and find the SRTP mode and we want to set enabled and required. That's actually part of the instructions here that you'll have to set enabled and required. And right there's where it's said to use 5061. They have some other options if you need other ports. Back over to the phone though. We're going to go ahead and save and set. And for good measure, I always like to restart the phone after I've saved all the settings. We'll reboot it. I'll just fast forward to the phone being already rebooted and confirm that it registered. That way we know it works because having a setting in there, I always like to reboot things because eventually they'll get rebooted. So I like to make sure that they work on reboot, not just when I click the button now. So as this reboots, we'll log back in. We log back in. We see the phone's registered and let's go ahead and wire shark it again. So we're going to go ahead and just up arrow, enter. All right. And history. We'll just redial that number again and send. Thank you for calling LARN Systems and we hope you're having a fantastic day. If you know your party's extension, you can dial it anytime. Currently our retail office as well. All right, we have some data now. Let's start digging through this and figure out what wire shark is able to see this time. Telephone and VoIP calls. Nothing. That was encrypted so I can't tap the phone anymore. Well, that's no fun. What else can we see? Well, let's look at the SIP flows. Nothing. Well, that didn't help me much. SIP statistics. Don't even think it's SIP traffic anymore. Now, this is where the good and bad comes in. By doing this, one, I have now prevented anyone who could possibly get in between me and my VoIP provider from tapping the phone calls. And that, you know, could be an issue. This is one of the reasons we generally will put phones on a separate network. And there's tools like LODP that allow you to automatically do this with VLANs, etc. But the other side of this is this makes SIP troubleshooting substantially harder. Not that that's an excuse, but sometimes when you're first trying to test something, you may want to test it unencrypted, go through the troubleshooting process. But then once you know it works, change those couple settings real quick and move it towards encrypted. And this is the good and bad. I know there's going to be a bunch of people angry that I would ever say it's okay to use an unencrypted SIP. The reality is you live in the real world. One, you run into tons of systems, especially older systems that we deal with that just don't have these supports. They don't support UDP and a TLS layer together. That's just not part of their function. Or you'll just run into troubleshooting issues where it's just easier and just change the password later. It's just kind of a process by which you do it. Now, by the way, if you didn't notice in here, everything is still being transferred over UDP because it's the wave phone traffic is done, but it's done so completely in an encrypted manner. So, you know, it's a lot more protected. Now, like I said, this is a whole process and learning in my opinion. So being able to use these tools, being able to do this gives you some better ideas of how these transport layers work, how they can be looked at, how they can possibly be exploited. And I just want to raise awareness of it and get people playing. One of the goals I always have with this channel is to get more people into technology and it will allow a lot of homeland people. This is a fun thing you can do when you're going, okay, I built all this fun stuff. What can I do with it? This is a great way to dive into to get a better understanding of network engineering and, you know, apply it with all the different phone systems you have. It's always fun to me diving into the packets and looking at the flows and everything else. I'll leave a link to the other videos I've done on Moyershark and of course one I did on my PF Sense. And let me know what else you like and leave some comments below or head over to our forums to have a further and more in-depth discussion. Thanks. And thank you for making it to the end of the video. If you liked this video, please give it a thumbs up. If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon if you like YouTube to notify you when new videos come out. If you'd like to hire us, head over to laurancesystems.com, fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you want to carry on the discussion, head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos, or other tech topics in general. Even suggestions for new videos, they're accepted right there on our forums, which are free. Also, if you'd like to help the channel in other ways, head over to our affiliate page. We have a lot of great tech offers for you. And once again, thanks for watching and see you next time.