Wireshark-users: Re: [Wireshark-users] Help of Dissecting or Parsing Packets
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: "Anders Broman" <a.broman@xxxxxxxxx>
Date: Mon, 12 Mar 2007 07:33:35 +0100
Hi,
Take a look at http://wiki.wireshark.org/SampleCaptures and the sample file 
"rtp_example.raw.gz (libpcap) A VoIP sample capture of a H323 call (including H225, H245, RTP and RTCP)."
The standard call port is 1720 so SETUP etc will be seen on port 1720.

How was the "voip dump" your vendor showed you made?

The sample trace is a VoIP call using standard H.323. If your traces are not showing up like this, it's a fair chance
that your VoIP equipment isn't using standard H.323. In that case you're out of luck when it comes
to Wireshark. Unless you've got access to the protocol specification of the protocol used and
can write your own dissector or adapt the current ones to whatever changes has been done to the
Standard protocol spec's.
Best regards
Anders

________________________________________
Från: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] För ARAMBULO, Norman R.
Skickat: den 12 mars 2007 05:07
Till: Wireshark-Users (E-mail); Wireshark-Dev (E-mail); Wireshark-users-request (E-mail); Tcpdump-Workers-Owner (E-mail); Tcpdump-Workers (E-mail)
Ämne: [Wireshark-users] Help of Dissecting or Parsing Packets
Prioritet: Hög

Thanks anders, actually im new in voip, so do you mean that based on the port, there are specifics action/used for the said ports. When TCP is used,
will I always see a TPKT, how about port 1720? Well one of the vendors showed us a voip dump and we noticed that all transaction has port 1720 and
also the dialled number? Is it possible if we try to filter based on port 1720 we may able to get dialled number? Ill try to attached another file in binary.
Can wireshark dissect proprietary protocols and what vendors are they?
Thanks for your usual support.....
 
Wireshark-users: Re: [Wireshark-users] Help of Dissecting or Parsing Packets

From: "Anders Broman" <a.broman@xxxxxxxxx>
Date: Sun, 11 Mar 2007 21:47:33 +0100
Hi,
It would be more useful to attach the binary file, looking briefly at the trace
It looks like it's not a standard H.323 implementation as port 1718 is used with TCP. ITU rec H.225 says:

"IV.1.1.1 Discovery using multicast address or well-known port
Following the gatekeeper discovery and registration procedures described in clause 7/H.323,
endpoints should use the following multicast address or well known port when attempting to
discover the gatekeeper as appropriate for their network configuration:
232 ITU-T H.225.0 (11/2000)
– UDP Address for multicast communication with gatekeepers: 224.0.1.41
– UDP port for multicast communication with gatekeepers: 1718
– UDP port for unicast RAS communication where no "other agreement" exists: 1719
Note that "other agreement" may include registration of an endpoint with a gatekeeper.
Note that implementations should pay attention to the scope of the multicast so as to not flood the
Internet with discovery messages.
Assuming a gatekeeper has an IP address for example of 134.134.12.1, the following signalling may
occur:
– LRQ or GRQ arrives at 134.134.12.1: port 1719;
– LRQ or GRQ arrives at 134.134.12.1: port 1718 (note that this may occur with v1 GKs);
– LRQ or GRQ arrives at 224.0.1.41: port 1718.
The gatekeeper may transmit an LRQ to the following addresses:
− 224.0.1.41: port 1718 (multicast to all GKs);
− X.X.X.X: port 1719 (to a specific GK).
Port 1719 should only be used when a request is sent unicast. This allows the receiver to know
whether it should send a reject (xRJ) to the sender (it should in all cases).
Port 1718 should only be used when a request is sent multicast. The receiver should respond with the
appropriate response, depending on the message. For LRQ no reject required, the receiver does not
reply for multicast requests. For GRQ, a directed GRJ should be sent to the source of the GRQ."

In addition H.225 over TCP should use TPKT which seems not to be the case here. What vendor is supplying
The VoIP equipment? Cisco? If so you could ask them what protocol is being used.
Best regards
Anders



 "Reality is merely an illusion, albeit a very persistent one."
							-- Albert Einstein