This wiki has been migrated to https://gitlab.com/wireshark/wireshark/-/wikis/home and is now deprecated. Please use that site instead.
Differences between revisions 2 and 5 (spanning 3 versions)
Revision 2 as of 2009-06-16 13:37:16
Size: 2692
Editor: JaapKeuter
Comment: Add note on windows capture. Update versions supported.
Revision 5 as of 2010-09-28 14:34:04
Size: 2608
Editor: JaapKeuter
Comment: Adding ZRTP sample capture
Deletions are marked like this. Additions are marked like this.
Line 8: Line 8:
ZRTP is being developed by Philip Zimmermann (Mr. PGP), Alan Johnston and Jon Callas as alternative to the various encryption signaling protocols with specifically the [[http://en.wikipedia.org/wiki/End-to-end_argument|End-to-End argument]] in mind. ZRTP is being developed by Philip Zimmermann ([[http://en.wikipedia.org/wiki/Philip_Zimmermann|Mr. PGP]]), Alan Johnston and Jon Callas as alternative to the various encryption signaling protocols with specifically the [[http://en.wikipedia.org/wiki/End-to-end_argument|End-to-End argument]] in mind.
Line 16: Line 16:
XXX - Add example decoded traffic for this protocol here (as plain text or Wireshark screenshot). {{http://zfoneproject.com/images/wireshark-zrtp-hello.jpg}}
Line 25: Line 25:
If you want to use Wireshark to capture Zfone encrypted VoIP traffic on the same machine that Zfone is running on, you cannot do it on Windows. This is because on Windows, the Zfone device driver is closer to the network adapter than the Wireshark device driver. This means Wireshark captures only unencrypted IP traffic. Zfone has already decrypted incoming packets before Wireshark can see them, and Zfone only encrypts outgoing packets after they have passed through Wireshark. This problem only exists on Windows. If you want to use Wireshark to capture Zfone encrypted VoIP traffic on the same machine that Zfone is running on, you cannot do it on Windows. This is because on Windows, the Zfone device driver is closer to the network adapter than the WinPcap device driver. This means Wireshark - and other applications using WinPcap - capture only unencrypted IP traffic. Zfone has already decrypted incoming packets before Wireshark can see them, and Zfone only encrypts outgoing packets after they have been forwarded to Wireshark. This problem only exists on Windows.
Line 35: Line 35:
XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

 * [[attachment:SampleCaptures/ZRTP.pcap]]
A sample SIP call with ZRTP protected media:
 * [[attachment:SampleCaptures/Asterisk_ZFONE_XLITE.pcap|Asterisk_ZFONE_XLITE.pcap]]
Line 52: Line 51:
 * [[http://zfone.org/|Zfone]] The Zfone project.  * [[http://zfoneproject.com/|Zfone]] The Zfone project.

ZRTP

The official description of ZRTP is 'Media Path Key Agreement for Secure RTP'. It's a protocol to exchange and verify end-to-end encryption keys for voice communications.

History

ZRTP is being developed by Philip Zimmermann (Mr. PGP), Alan Johnston and Jon Callas as alternative to the various encryption signaling protocols with specifically the End-to-End argument in mind.

Protocol dependencies

  • RTP: ZRTP carried in RTP version 0 packets.

Example traffic

http://zfoneproject.com/images/wireshark-zrtp-hello.jpg

Wireshark

The ZRTP dissector is fully functional. It supports the protocol versions 0.80, 0.85, 0.90, 0.95, 1.0 and 1.1.

Capture on Windows

(From the Zfone project website):

If you want to use Wireshark to capture Zfone encrypted VoIP traffic on the same machine that Zfone is running on, you cannot do it on Windows. This is because on Windows, the Zfone device driver is closer to the network adapter than the WinPcap device driver. This means Wireshark - and other applications using WinPcap - capture only unencrypted IP traffic. Zfone has already decrypted incoming packets before Wireshark can see them, and Zfone only encrypts outgoing packets after they have been forwarded to Wireshark. This problem only exists on Windows.

If you need to capture encrypted packets from a Windows machine running Zfone, you must run Wireshark on a separate machine between the two parties.

Preference Settings

The dissector has no preference settings. The RTP dissector has to set 'Treat RTP version 0 packets as' to 'Invalid or ZRTP'.

Example capture file

A sample SIP call with ZRTP protected media:

Display Filter

A complete list of ZRTP display filter fields can be found in the display filter reference

  • Show only the ZRTP based traffic:

     zrtp 

Capture Filter

You cannot directly filter ZRTP protocols while capturing. However, if you know the UDP port used (see above), you can filter on that one.

Discussion

ZRTP (last edited 2010-09-28 14:34:04 by JaapKeuter)