Testing SIP Security on a Budget, Part 2
VoIP packet capture and analysisOne of the best ways to see what's happening inside your network is to capture and analyze trafficthis is just as true for VoIP as it was for data, even though you'll need a little extra assistance to reconstitute media streams.
Wireshark is a popular open-source packet capture and analysis tool that runs on many different platforms. Even if you already use Wireshark for data traffic, you might be surprised to see what the program can do with VoIP traffic. In the following example, Wireshark was used to track SIP statistics, diagram SIP and RTP packet flows during a live VoIP call, and decode the RTP stream into an audio (.wav file) for playback through any media player.
| Figure 9. Wireshark VoIP Analysis and Playback Tools
Click to see full size image
Many open-source packet capture tools have also been developed exclusively for VoIP. For example, Oreka is a utility for recording VoIP and local system audio streams and call detail records. WIST can capture and display all signaling messages associated with a specified SIP user in real-time. Pcapsipdump is a "tcpdump" style tool for saving SIP and RTP traffic to disk, one file per SIP session. VoIPong (see Figure 10) detects and dumps G.711-encoded conversations to wave files, independent of signaling protocol.
Clearly, packet analyzers can help you understand eavesdropping vulnerabilities. In the above example, VoIPong would not have been able to decipher the RTP stream if secure protocols had been used to encrypt it prior to transmission. Packet analyzers can also help you understand which devices are communicating, when, and how often.
Furthermore, tools like ettercap and sip_rogue not only record packets but can actively redirect or modify that traffic. In data LANs, ARP poisoning is a common method of traffic redirection. In VoIP networks, traffic can also be redirected at higher layers by hijacking a SIP user agent's REGISTRATION.
For example, sip_rogue can operate as a rogue user agent, using reghijacker to receive the call from the legitimate SIP proxy. Or sip_rogue can operate as a rogue SIP proxy, inserting audio into a hijacked media stream relayed between a caller and intended callee. While both of these examples involve packet capture, the purpose of doing so is not traffic analysis.