If you have a pcap file with encrypted RTP (SDES SRTP) and have access to the SIP signalling to see the keys, these instructions will help you decrypt the RTP payload and save it as raw audio. Optionally, depending on the codec, you can then import the raw audio in Wireshark and save it as an audio file.
Steps
These are the steps:
Build ‘srtp-decrypt’
Get crypto key for each direction
Use the decrypt.sh bash script to decrypt into raw audio
Import the raw audio into Wireshark as hex dump
Generate the wav file
Generate the wav file as two separate channels, one per direction
Build ‘srtp-decrypt’
Follow instructions here:
https://github.com/gteissier/srtp-decrypt
Assume the binary will be produced in a path like ‘/root/code/srtp-decrypt/srtp-decrypt’
Get crypto key for each direction
Access the SIP involved and take note of the ‘crypto’ line from the SDP for each direction.
e.g.:
v=0
...
m=audio 16398 RTP/SAVP 96 8 97
c=IN IP4 xxxxx
...
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:K7oAZZ5Fm9fePS5/t1ac00000000000000000000
...
The crypto key for the RTP stream produced by this party is K7oAZZ5Fm9fePS5/t1ac00000000000000000000
Use a bash script to decrypt into raw audio
Use this simple bash script to perform the actual decryption:
#!/bin/bash
set -x
SRTP_DECRYPT_BIN=/root/code/srtp-decrypt/srtp-decrypt
HEADER_SIZE=48
CRYPTO_KEY=5eKSVpIOePOgjjfep21R3b000000000000000000
RTP_PCAP=outbound.pcap
RAW_DATA=outbound.raw
${SRTP_DECRYPT_BIN} -d ${HEADER_SIZE} -k ${CRYPTO_KEY} < ${RTP_PCAP} > ${RAW_DATA}
Where:
CRYPTO_KEY needs the value of the crypto key seen earlier.
RTP_PCAP has the pcap with the RTP stream that you want to decrypt.
RAW_DATA is the output file where to put the decrypted raw audio.
HEADER_SIZE may vary, depending on the presence of the SLL header in the capture.
Import the raw audio into Wireshark as hex dump
In Wireshark:
File → Import from Hex Dump
Select the file with the raw audio
Offsets: Hexadecimal
Timestamp format: %M:%S.%f
Encapsulation type: Ethernet
UDP: source port 10000, destination port 20000
Import
Then go to:
Telephony → RTP → RTP Streams
Play
Select stream
Export as Synchronised audio file
If for example you have two RTP streams, one per direction for the same call, you can generate the wav file with two separate channels, one per direction.
Once you have the raw audio for both directions, you can use Audacity (https://www.audacityteam.org/) to import the audio.
Open the first file.
File → Import Audio for the second file.
Select the first audio, right click, “Set as Stereo file”
Save
