WebRTC: Difference between revisions

From VoIPmonitor.org
No edit summary
(Rewrite: konsolidace, lepší struktura, tabulka pro srovnání metod, warning/note boxy, See Also sekce)
 
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
VoIPmonitor sniffer is able to analyse SIP over WebSocket encrypted or unencrypted. For unencrypted WebSocket just configure WebScoket port as sipport:  
{{DISPLAYTITLE:Monitoring Encrypted WebRTC (WSS/DTLS-SRTP)}}


voipmonitor.conf:
'''This guide covers monitoring encrypted WebRTC traffic with VoIPmonitor, including SIP over Secure WebSocket (WSS) and DTLS-SRTP media encryption.'''
sipport = 5060, 8088


this example will analyse SIP TCP/UDP and SIP over WebSocket on port 8088
== Overview ==


For encrypted webscoket see following examples for Freeswitch and Asterisk:  
WebRTC requires encrypted transport for both signaling and media:
* '''WSS (Secure WebSocket):''' SIP signaling encrypted with TLS
* '''DTLS-SRTP:''' Media (RTP) encrypted via DTLS key negotiation


= Freeswitch =
VoIPmonitor can decrypt both layers using either a private TLS key or the SSL Key Logger method.


== vars.conf ==
<kroki lang="mermaid">
<param name="tls-version" value="tlsv1.2"/>  
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 30}}}%%
<param name="tls-ciphers" value="AES128-SHA" >
flowchart LR
    subgraph Browser["WebRTC Client"]
        WC[Web Browser]
    end
    subgraph PBX["Asterisk PBX"]
        WSS[WSS :8089]
        SRTP[DTLS-SRTP]
    end
    subgraph VM["VoIPmonitor"]
        CAP[Capture]
        DEC[Decrypt]
        CDR[CDR]
    end
    WC -->|"SIP/WSS"| WSS
    WC -->|"Media"| SRTP
    WSS -.->|"mirror"| CAP
    SRTP -.->|"mirror"| CAP
    CAP --> DEC --> CDR
</kroki>


== voipmonitor.conf ==
== Prerequisites: Configure sipport ==
ssl = yes
ssl_ipport = 192.168.0.1 : 7443 /etc/voipmonitor/privkey.pem


= Asterisk =
{{Warning|1=VoIPmonitor only monitors port 5060 by default. You '''must''' add WebRTC ports to <code>sipport</code> or traffic will be ignored.}}


== http.conf ==
Edit <code>/etc/voipmonitor.conf</code>:


;
<syntaxhighlight lang="ini">
; Asterisk Builtin mini-HTTP server
# Add WebRTC ports (WS=8088, WSS=8089)
;
sipport = 5060,8088,8089
;
[general]
enabled=yes
bindaddr=0.0.0.0
bindport=8088
;prefix=asterisk
;sessionlimit=100
;enablestatic=yes
;redirect = / /static/config/index.html
tlsenable=yes          ; enable tls - default no.
tlsbindaddr=0.0.0.0:8089    ; address and port to bind to - default is bindaddr and port 8089.
tlscertfile=/etc/asterisk/keys/asterisk.pem  ; path to the certificate file (*.pem) only.
tlscipher=AES128-SHA
;tlsprivatekey=</path/to/private.pem>    ; path to private key file (*.pem) only.


== rtp.conf ==
# Or use port ranges
sipport = 5060,8080-8090
</syntaxhighlight>


add at the end of this file:  
Restart after changes: <code>systemctl restart voipmonitor</code>


icesupport=yes
{{Note|1=In probe/server architecture, configure <code>sipport</code> on '''both''' probe and server.}}
stunaddr=stun.l.google.com:19302


== pjsip.conf ==
== Decryption Methods ==


[general]
Choose based on your environment:
allowguest = no
  [global]
type = global
user_agent = VoIPsun PBX
realm=192.168.2.107
bindport=5060
transport=udp,ws,wss


[transport-udp]
{| class="wikitable"
type = transport
|-
protocol = udp
! Method !! When to Use !! Limitations
bind = 192.168.2.107:5060
|-
tos = cs3
| '''A: Private Key''' || Development/testing, RSA ciphers || Fails with TLS 1.3/PFS (DHE/ECDHE)
cos = 3  
|-
| '''B: SSL Key Logger''' || Production, TLS 1.3, PFS, distributed setups || Requires library injection on PBX
|}


[transport-ws]
=== Method A: Private Key ===
type=transport
protocol=ws
bind=192.168.2.107


[transport-wss]
<syntaxhighlight lang="ini">
type=transport
# /etc/voipmonitor.conf
protocol=wss
ssl = yes
bind=192.168.2.107
ssl_ipport = 192.168.2.107:8089 /etc/asterisk/keys/asterisk.pem
cipher=0x002f
  [101]
type=aor
max_contacts=1
remove_existing=yes


[101]
# Or use CIDR for multiple hosts
type=auth
ssl_ipport = 192.168.2.0/24:8089 /path/to/key.pem
auth_type=userpass
</syntaxhighlight>
username=101
password=1234


[101]
=== Method B: SSL Key Logger ===
type=endpoint
disallow=all
allow=opus
allow=alaw
allow=ulaw
context=from101
auth=101
aors=101
media_encryption=dtls
dtls_verify=fingerprint
dtls_cert_file=/etc/asterisk/keys/asterisk.pem
dtls_ca_file=/etc/asterisk/keys/ca.crt
dtls_setup=actpass
use_avpf=yes
ice_support=yes
media_use_received_transport=yes
rtcp_mux=yes


[102]
Works with ALL cipher suites including TLS 1.3 and PFS.
type=aor
max_contacts=1
remove_existing=yes


[102]
'''1. Compile the library:'''
type=auth
<syntaxhighlight lang="bash">
auth_type=userpass
git clone https://github.com/voipmonitor/sniffer.git /usr/local/src/voipmonitor-git
username=102
cd /usr/local/src/voipmonitor-git/tools/ssl_keylogger/
password=1234
make
</syntaxhighlight>


[102]
'''2. Configure PBX to send session keys:'''
type=endpoint
disallow=all
allow=opus
allow=alaw
allow=ulaw
context=from102
auth=102
aors=102
media_encryption=dtls
dtls_verify=fingerprint
dtls_cert_file=/etc/asterisk/keys/asterisk.pem
dtls_ca_file=/etc/asterisk/keys/ca.crt
dtls_setup=actpass
use_avpf=yes
ice_support=yes
media_use_received_transport=yes
rtcp_mux=yes


== extensions.conf ==
For Asterisk (create <code>/etc/default/asterisk-ssl</code>):
[from101] exten => _X.,1,NooP(Call from 101 to ${EXTEN}) same => n,Dial(PJSIP/102/${EXTEN})  
<syntaxhighlight lang="bash">
exten => i,1,Goto(other,${EXTEN},1)
SSLKEYLOG_UDP='127.0.0.1:1234'
[from102]
LD_PRELOAD='/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so'
exten => _X.,1,NooP(Call from 102 to ${EXTEN})
</syntaxhighlight>
same => n,Dial(PJSIP/101/${EXTEN})
exten => i,1,Goto(other,${EXTEN},1)
[other]
exten => X,1,NooP(Call from ${CALLERID(num)} to ${EXTEN})
same => n,DumpChan()
same => n,Ringing()
same => n,Wait(3)
same => n,Playback(/var/lib/asterisk/sounds/cz/queue-periodic-announce)
same => n,Hangup()


== modules.conf ==
For FreeSWITCH, add to systemd service:
noload => chan_sip.so
<syntaxhighlight lang="bash">
ExecStart=env SSLKEYLOG_UDP='127.0.0.1:1234' LD_PRELOAD='/path/to/sslkeylog.so' /usr/bin/freeswitch ...
</syntaxhighlight>


== keys ==
'''3. Configure VoIPmonitor:'''
<syntaxhighlight lang="ini">
# /etc/voipmonitor.conf
ssl = yes
ssl_ipport = 192.168.2.0/24:8089    # NO key file path!
ssl_sessionkey_udp = yes
ssl_sessionkey_udp_port = 1234


mkdir /etc/asterisk/keys
# Add loopback if sending keys locally
cd /etc/asterisk/keys
interface = eth0,lo
openssl genrsa -des3 -out ca.key 4096
</syntaxhighlight>
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl genrsa -out key.pem 1024
openssl req -new -key key.pem -out req-sip_server.csr
openssl x509 -req -days 365 -in req-sip_server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cert-sip_server.crt
cat key.pem > asterisk.pem
cat cert-sip_server.crt >> asterisk.pem


= Sipml5 =
{{Tip|1=For distributed mode (<code>packetbuffer_sender=yes</code>), send keys to the '''central server IP''', not localhost.}}


For complete SSL Key Logger documentation, see [[Tls#Method_2:_SSL_Key_Logger|TLS Decryption]].


https://www.doubango.org/sipml5/call.htm?svn=170#
== Asterisk Configuration ==


=== Step 1: Generate TLS Certificates ===


<syntaxhighlight lang="bash">
mkdir -p /etc/asterisk/keys && cd /etc/asterisk/keys


Display name: 102 
# Create CA
Private Identity: 102
openssl genrsa -des3 -out ca.key 4096
Public Identity: sip:102@192.168.2.107
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Password: 1234Realm: 192.168.2.107


# Create server certificate
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out server.csr
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cert.crt


# Combine for Asterisk
cat key.pem cert.crt > asterisk.pem
</syntaxhighlight>


click on expert mode:
=== Step 2: Configure HTTP Server ===


<code>/etc/asterisk/http.conf</code>:
<syntaxhighlight lang="ini">
[general]
enabled = yes
bindaddr = 0.0.0.0
bindport = 8088          ; WS (unencrypted)
tlsenable = yes
tlsbindaddr = 0.0.0.0:8089  ; WSS (encrypted)
tlscertfile = /etc/asterisk/keys/asterisk.pem
tlscipher = AES128-SHA
</syntaxhighlight>


Disable video: on
=== Step 3: Configure RTP ===
Enable RTCWeb breaker
WebSocket Server URL: wss://192.168.2.107:8089/ws
ICE servers: [{ url: 'stun:stun.l.google.com:19302'}]  (this can be maybe empty)
Disable 3GPP Early IMS: on
Disable debug messages: on
Cache media stream: on
Disable Call button options: on


<code>/etc/asterisk/rtp.conf</code>:
<syntaxhighlight lang="ini">
[general]
icesupport = yes
; stunaddr = stun.l.google.com:19302
</syntaxhighlight>


=== Step 4: Configure PJSIP ===


* after settings go back to first tab and click login
Disable old chan_sip in <code>/etc/asterisk/modules.conf</code>:
<syntaxhighlight lang="ini">
noload => chan_sip.so
</syntaxhighlight>


* open https://192.168.2.107:8089/ws in browser and accept the certificate - otherwise the webrtc will not login.
<code>/etc/asterisk/pjsip.conf</code>:
<syntaxhighlight lang="ini">
[global]
type = global
realm = 192.168.2.107
 
; --- Transports ---
[transport-udp]
type = transport
protocol = udp
bind = 0.0.0.0:5060
 
[transport-wss]
type = transport
protocol = wss
bind = 0.0.0.0:8089
 
; --- WebRTC Template ---
[webrtc-template](!)
type = endpoint
disallow = all
allow = opus,ulaw,alaw
context = internal-webrtc
media_encryption = dtls
dtls_verify = fingerprint
dtls_cert_file = /etc/asterisk/keys/asterisk.pem
dtls_ca_file = /etc/asterisk/keys/ca.crt
dtls_setup = actpass
use_avpf = yes
ice_support = yes
rtcp_mux = yes
 
; --- User 101 ---
[101](webrtc-template)
auth = 101-auth
aors = 101-aor
 
[101-auth]
type = auth
auth_type = userpass
username = 101
password = secret101
 
[101-aor]
type = aor
max_contacts = 1
</syntaxhighlight>
 
=== Step 5: Dialplan ===
 
<code>/etc/asterisk/extensions.conf</code>:
<syntaxhighlight lang="ini">
[internal-webrtc]
exten => _1XX,1,Dial(PJSIP/${EXTEN})
</syntaxhighlight>
 
== WebRTC Client Setup (sipML5) ==
 
Using [https://www.doubango.org/sipml5/call.htm sipML5]:
 
'''Basic Settings:'''
* Display Name: <code>101</code>
* Private Identity: <code>101</code>
* Public Identity: <code>sip:101@192.168.2.107</code>
* Password: <code>secret101</code>
* Realm: <code>192.168.2.107</code>
 
'''Expert Mode:'''
* WebSocket Server URL: <code>wss://192.168.2.107:8089/ws</code>
* Enable RTCWeb Breaker: Checked
* Disable 3GPP Early IMS: Checked
 
{{Warning|1=Before login, open <code><nowiki>https://192.168.2.107:8089/ws</nowiki></code> in browser and accept the self-signed certificate.}}
 
== Third-Party WebRTC Monitoring (--rtp-no-sig) ==
 
For monitoring WebRTC where you have no access to signaling (e.g., external providers).
 
=== When to Use ===
* Third-party WebRTC service without signaling access
* Only media (RTP) stream is accessible
* Need QoS metrics without decryption
 
=== Configuration ===
 
<syntaxhighlight lang="bash">
# Start with --rtp-no-sig flag
voipmonitor --rtp-no-sig --interface eth0
 
# Or add to systemd service ExecStart line
</syntaxhighlight>
 
'''Behavior:'''
* CDRs created from RTP packets using SSRC identifiers
* QoS metrics (MOS, jitter, packet loss) collected without decryption
* Caller ID and call direction unavailable
 
=== With Audio Replay ===
 
Combine <code>--rtp-no-sig</code> with SSL Key Logger for full monitoring:
 
<syntaxhighlight lang="ini">
# On WebRTC server
SSLKEYLOG_UDP='10.0.0.10:1234'
LD_PRELOAD='/path/to/sslkeylog.so'
 
# On VoIPmonitor sensor
ssl = yes
ssl_sessionkey_udp = yes
ssl_sessionkey_udp_port = 1234
</syntaxhighlight>
 
== See Also ==
* [[Tls]] - Complete TLS/SRTP decryption guide
* [[Sniffer_configuration]] - Full configuration reference
* [[Sniffing_modes]] - Deployment topologies
 
== AI Summary for RAG ==
 
'''Summary:''' Guide for monitoring encrypted WebRTC (WSS/DTLS-SRTP) with VoIPmonitor. CRITICAL: Add WebRTC ports to <code>sipport</code> (e.g., <code>sipport = 5060,8088,8089</code>) before configuring decryption. Two methods: Private Key (<code>ssl_ipport = IP:PORT /path/key.pem</code>) fails with TLS 1.3/PFS; SSL Key Logger works with all ciphers via <code>LD_PRELOAD</code> injection and <code>ssl_sessionkey_udp=yes</code>. For distributed mode, send keys to central server IP. Includes Asterisk WSS/PJSIP setup. Use <code>--rtp-no-sig</code> for third-party WebRTC without signaling access.
 
'''Keywords:''' webrtc, wss, secure websocket, dtls, srtp, encrypted, tls, ssl, asterisk, pjsip, freeswitch, decryption, ssl_ipport, sslkeylog, ld_preload, ssl_sessionkey_udp, sipport, rtp-no-sig, pfs, tls 1.3, distributed mode, 8088, 8089
 
'''Key Questions:'''
* How do I monitor encrypted WebRTC calls with VoIPmonitor?
* Why is VoIPmonitor not detecting WebRTC traffic?
* How do I configure sipport for WebRTC ports 8088/8089?
* What is the difference between Private Key and SSL Key Logger decryption methods?
* How do I configure Asterisk for secure WebRTC?
* How does --rtp-no-sig work for third-party WebRTC monitoring?
* How do I decrypt DTLS-SRTP for audio replay?

Latest revision as of 16:50, 8 January 2026


This guide covers monitoring encrypted WebRTC traffic with VoIPmonitor, including SIP over Secure WebSocket (WSS) and DTLS-SRTP media encryption.

Overview

WebRTC requires encrypted transport for both signaling and media:

  • WSS (Secure WebSocket): SIP signaling encrypted with TLS
  • DTLS-SRTP: Media (RTP) encrypted via DTLS key negotiation

VoIPmonitor can decrypt both layers using either a private TLS key or the SSL Key Logger method.

Prerequisites: Configure sipport

⚠️ Warning: VoIPmonitor only monitors port 5060 by default. You must add WebRTC ports to sipport or traffic will be ignored.

Edit /etc/voipmonitor.conf: 

# Add WebRTC ports (WS=8088, WSS=8089)
sipport = 5060,8088,8089

# Or use port ranges
sipport = 5060,8080-8090

Restart after changes: systemctl restart voipmonitor

ℹ️ Note: In probe/server architecture, configure sipport on both probe and server.

Decryption Methods

Choose based on your environment:

Method When to Use Limitations
A: Private Key Development/testing, RSA ciphers Fails with TLS 1.3/PFS (DHE/ECDHE)
B: SSL Key Logger Production, TLS 1.3, PFS, distributed setups Requires library injection on PBX

Method A: Private Key

# /etc/voipmonitor.conf
ssl = yes
ssl_ipport = 192.168.2.107:8089 /etc/asterisk/keys/asterisk.pem

# Or use CIDR for multiple hosts
ssl_ipport = 192.168.2.0/24:8089 /path/to/key.pem

Method B: SSL Key Logger

Works with ALL cipher suites including TLS 1.3 and PFS.

1. Compile the library: 

git clone https://github.com/voipmonitor/sniffer.git /usr/local/src/voipmonitor-git
cd /usr/local/src/voipmonitor-git/tools/ssl_keylogger/
make

2. Configure PBX to send session keys:

For Asterisk (create /etc/default/asterisk-ssl): 

SSLKEYLOG_UDP='127.0.0.1:1234'
LD_PRELOAD='/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so'

For FreeSWITCH, add to systemd service: 

ExecStart=env SSLKEYLOG_UDP='127.0.0.1:1234' LD_PRELOAD='/path/to/sslkeylog.so' /usr/bin/freeswitch ...

3. Configure VoIPmonitor: 

# /etc/voipmonitor.conf
ssl = yes
ssl_ipport = 192.168.2.0/24:8089    # NO key file path!
ssl_sessionkey_udp = yes
ssl_sessionkey_udp_port = 1234

# Add loopback if sending keys locally
interface = eth0,lo

💡 Tip: For distributed mode (packetbuffer_sender=yes), send keys to the central server IP, not localhost.

For complete SSL Key Logger documentation, see TLS Decryption.

Asterisk Configuration

Step 1: Generate TLS Certificates

mkdir -p /etc/asterisk/keys && cd /etc/asterisk/keys

# Create CA
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

# Create server certificate
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out server.csr
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cert.crt

# Combine for Asterisk
cat key.pem cert.crt > asterisk.pem

Step 2: Configure HTTP Server

/etc/asterisk/http.conf: 

[general]
enabled = yes
bindaddr = 0.0.0.0
bindport = 8088          ; WS (unencrypted)
tlsenable = yes
tlsbindaddr = 0.0.0.0:8089  ; WSS (encrypted)
tlscertfile = /etc/asterisk/keys/asterisk.pem
tlscipher = AES128-SHA

Step 3: Configure RTP

/etc/asterisk/rtp.conf: 

[general]
icesupport = yes
; stunaddr = stun.l.google.com:19302

Step 4: Configure PJSIP

Disable old chan_sip in /etc/asterisk/modules.conf: 

noload => chan_sip.so

/etc/asterisk/pjsip.conf: 

[global]
type = global
realm = 192.168.2.107

; --- Transports ---
[transport-udp]
type = transport
protocol = udp
bind = 0.0.0.0:5060

[transport-wss]
type = transport
protocol = wss
bind = 0.0.0.0:8089

; --- WebRTC Template ---
[webrtc-template](!)
type = endpoint
disallow = all
allow = opus,ulaw,alaw
context = internal-webrtc
media_encryption = dtls
dtls_verify = fingerprint
dtls_cert_file = /etc/asterisk/keys/asterisk.pem
dtls_ca_file = /etc/asterisk/keys/ca.crt
dtls_setup = actpass
use_avpf = yes
ice_support = yes
rtcp_mux = yes

; --- User 101 ---
[101](webrtc-template)
auth = 101-auth
aors = 101-aor

[101-auth]
type = auth
auth_type = userpass
username = 101
password = secret101

[101-aor]
type = aor
max_contacts = 1

Step 5: Dialplan

/etc/asterisk/extensions.conf: 

[internal-webrtc]
exten => _1XX,1,Dial(PJSIP/${EXTEN})

WebRTC Client Setup (sipML5)

Using sipML5:

Basic Settings:

  • Display Name: 101
  • Private Identity: 101
  • Public Identity: sip:101@192.168.2.107
  • Password: secret101
  • Realm: 192.168.2.107

Expert Mode:

  • WebSocket Server URL: wss://192.168.2.107:8089/ws
  • Enable RTCWeb Breaker: Checked
  • Disable 3GPP Early IMS: Checked

⚠️ Warning: Before login, open https://192.168.2.107:8089/ws in browser and accept the self-signed certificate.

Third-Party WebRTC Monitoring (--rtp-no-sig)

For monitoring WebRTC where you have no access to signaling (e.g., external providers).

When to Use

  • Third-party WebRTC service without signaling access
  • Only media (RTP) stream is accessible
  • Need QoS metrics without decryption

Configuration

# Start with --rtp-no-sig flag
voipmonitor --rtp-no-sig --interface eth0

# Or add to systemd service ExecStart line

Behavior:

  • CDRs created from RTP packets using SSRC identifiers
  • QoS metrics (MOS, jitter, packet loss) collected without decryption
  • Caller ID and call direction unavailable

With Audio Replay

Combine --rtp-no-sig with SSL Key Logger for full monitoring: 

# On WebRTC server
SSLKEYLOG_UDP='10.0.0.10:1234'
LD_PRELOAD='/path/to/sslkeylog.so'

# On VoIPmonitor sensor
ssl = yes
ssl_sessionkey_udp = yes
ssl_sessionkey_udp_port = 1234

See Also

AI Summary for RAG

Summary: Guide for monitoring encrypted WebRTC (WSS/DTLS-SRTP) with VoIPmonitor. CRITICAL: Add WebRTC ports to sipport (e.g., sipport = 5060,8088,8089) before configuring decryption. Two methods: Private Key (ssl_ipport = IP:PORT /path/key.pem) fails with TLS 1.3/PFS; SSL Key Logger works with all ciphers via LD_PRELOAD injection and ssl_sessionkey_udp=yes. For distributed mode, send keys to central server IP. Includes Asterisk WSS/PJSIP setup. Use --rtp-no-sig for third-party WebRTC without signaling access.

Keywords: webrtc, wss, secure websocket, dtls, srtp, encrypted, tls, ssl, asterisk, pjsip, freeswitch, decryption, ssl_ipport, sslkeylog, ld_preload, ssl_sessionkey_udp, sipport, rtp-no-sig, pfs, tls 1.3, distributed mode, 8088, 8089

Key Questions:

  • How do I monitor encrypted WebRTC calls with VoIPmonitor?
  • Why is VoIPmonitor not detecting WebRTC traffic?
  • How do I configure sipport for WebRTC ports 8088/8089?
  • What is the difference between Private Key and SSL Key Logger decryption methods?
  • How do I configure Asterisk for secure WebRTC?
  • How does --rtp-no-sig work for third-party WebRTC monitoring?
  • How do I decrypt DTLS-SRTP for audio replay?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=WebRTC&oldid=10171"