How to decrypt Wireshark ESP packets and extract SIP messages

When IPsec is used , SIP messages get encrypted and becomes unreadable as soon as UE switches on IPsec ports. only ESP encrypted traces are displayed

This looks like this :

Dump IPsec parameters from Amarisoft IMS log

Before to configure your wireshark, you need first to change the log verbosity at ims side to dump IMS keys used :

In ims.cfg > log_options: > add "ims.key=1"

The following information will be extracted :

• IPSec-auth: 592382118a7687c1c83ed3b37839dfa6
• IPSec-cipher: 65e94f5efcb90d527d7534ae62d5f67c65e94f5efcb90d52

You will also find required information (SPI , Encryption and Authentication algorithm) in the REGISTER or 401 Unauthorized : Security-Server: ipsec-3gpp;prot=esp;mod=trans;spi-c=1860862608;spi-s=1860862609;port-c=58928;port-s=60200;alg=hmac-md5-96;ealg=des-ede3-cbcOnce you have these information, you can configure your wireshark

Wireshark setting

• In Wireshark > Edit > "preference", expand the "protocol" menu
• Click on ESP
• Tick all check box and click on edit (ESP SAs)
• Add new entry for each SPI by using the information captured in IMS logs

Click on OK .

As a result, you should see now the SIP message decrypted like this :