Skip to content

hiskang/volte_ipsec

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
images
images
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
parse_tshark_v1.py
parse_tshark_v1.py
 
 

Repository files navigation

VoLTE IPSEC decoder

Useful tool if you need to look into Gm trace from VoLTE device. The output result is esp_sa file for wireshark, which contains ESP security associations of established ipsec connections over Gm. It's not magic, ipsec keys are derived from Mw trace (CK,IK of HSS response). That's why input pcap file must contains Gm AND Mw frames altogether.

Usage

run:
./parse_tshark_v1.py filename.pcap

output is in esp_sa file:

"IPv4","*","*","0x0006f5a6","AES-CBC [RFC3602]","0xa536b648493c623fd4ca23550a854b52","HMAC-MD5-96 [RFC2403]","0x9a0ede874f036435d9d27337cf282c4f"
"IPv4","*","*","0x0006f5a7","AES-CBC [RFC3602]","0xa536b648493c623fd4ca23550a854b52","HMAC-MD5-96 [RFC2403]","0x9a0ede874f036435d9d27337cf282c4f"
"IPv4","*","*","0x8a69ce54","AES-CBC [RFC3602]","0xa536b648493c623fd4ca23550a854b52","HMAC-MD5-96 [RFC2403]","0x9a0ede874f036435d9d27337cf282c4f"
"IPv4","*","*","0x8a8d3d96","AES-CBC [RFC3602]","0xa536b648493c623fd4ca23550a854b52","HMAC-MD5-96 [RFC2403]","0x9a0ede874f036435d9d27337cf282c4f"

Then put esp_sa file into wireshark config dir and open pcap that was threated by tool. I'll get esp protocol payload decoded as on picture below: wireshark screen

About

IPSEC decoder for VoLTE Gm and Mw trace

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%