Skip to main content
ip150-connection-decrypt parses and decrypts a YAML capture of IP150 TCP traffic produced by Wireshark. It decrypts the IP150 protocol layer, decodes the encapsulated Paradox serial messages, and prints a human-readable trace of the full conversation between the IP150 module and the alarm panel.

Usage

ip150-connection-decrypt FILE PASSWORD [-n PACKETS]

Arguments

file
file
required
YAML file containing the captured TCP stream. To create this file from Wireshark:
  1. Right-click the first IP150 packet in the capture.
  2. Select Follow → TCP Stream.
  3. In the “Show and save data as” dropdown, choose YAML.
  4. Copy the contents into a file.
password
string
required
IP module password used to decrypt the session. This is the same password configured in IP_CONNECTION_PASSWORD. The Paradox factory default is paradox.

Options

-n, --packets
int
Maximum number of packets to decrypt and print. Useful for inspecting just the connection handshake without processing an entire long capture.

Examples

ip150-connection-decrypt capture.yaml paradox

Capturing traffic with Wireshark

1

Start a capture

Open Wireshark and start capturing on the network interface that carries traffic between your computer and the IP150 module.
2

Filter to the IP150 stream

Apply a display filter such as tcp.port == 10000 (replace with your IP_CONNECTION_PORT) to isolate the IP150 traffic.
3

Follow the TCP stream

Right-click any packet in the stream and choose Follow → TCP Stream.
4

Export as YAML

In the TCP Stream dialog, set “Show and save data as” to YAML and copy the contents to a .yaml file.
5

Decrypt

Run ip150-connection-decrypt with the exported file and your IP module password.

Output format

The tool prints colour-coded output to the terminal:
ColourMeaning
BluePC → IP150 request packet
GreenIP150 → PC response packet
White/highlightedDecoded payload (parsed Paradox message or IP header)
RedParse errors or packets with no registered parser
For each packet the tool prints:
  • Raw header bytes (hex)
  • Encrypted payload bytes (hex)
  • Decrypted payload bytes (hex)
  • Decoded payload structure (if a parser is available)
  • Session password when the connection handshake completes

When to use this tool

If PAI fails to connect or authenticate with the IP150 module, capture the TCP stream and decrypt it to see exactly where the handshake fails and what error code the module returns.
Decrypt a capture taken during a specific event (alarm, arm/disarm) to see the raw serial messages exchanged and verify PAI is parsing them correctly.
When a new Paradox firmware version introduces unknown message types, decrypted captures provide the raw bytes needed to write new construct parsers.
The tool checks that the initial handshake payload matches the supplied password and prints Wrong decryption password if it does not, confirming a misconfiguration.
This tool requires the pyyaml package. Install it with pip install pyyaml or use the YAML extra: pip install paradox-alarm-interface[YAML].

Build docs developers (and LLMs) love

Get started for freeTalk to us