Wireshark-users: Re: [Wireshark-users] Problems in decoding a VoIP capture file. (capricorn 80)
From: Anders Broman <anders.broman@xxxxxxxxxxxx>
Date: Mon, 21 Jun 2010 09:37:41 +0200
Hi,
Your VoIP system may use proprietary signaling, if you have the specs for the system it may be mentioned there.
Regards
Anders


From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of vishal borkar
Sent: den 21 juni 2010 06:27
To: wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] Problems in decoding a VoIP capture file. (capricorn 80)

Hey,
Thanks for the suggestion .I tried doing that but did not work for me.
It says it would work only if it has the corresponding RTSP streams.
But my trace file has none.
Is there any other way in which i could determine what my problem is ?
Can any one tell if there any type of encryption involved ?

Regards,
Vishal

On Mon, Jun 21, 2010 at 12:30 AM, <wireshark-users-request@xxxxxxxxxxxxx> wrote:
Send Wireshark-users mailing list submissions to
       wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
       https://wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
       wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
       wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."


Today's Topics:

  1. Re: newbie MAC->IP question (Guy Harris)
  2. Re: tcpdump (Guy Harris)
  3. Re: Problems in decoding a VoIP capture file. (capricorn 80)
  4. Re: tcpdump (Andrew Hood)
  5. Re: tcpdump (Guy Harris)
  6. Re: tcpdump (Guy Harris)


----------------------------------------------------------------------

Message: 1
Date: Sat, 19 Jun 2010 12:47:20 -0700
From: Guy Harris <guy@xxxxxxxxxxxx>
Subject: Re: [Wireshark-users] newbie MAC->IP question
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <232E8067-0413-4219-A3E3-DE6D77DF3CD3@xxxxxxxxxxxx>
Content-Type: text/plain; charset=iso-8859-1


On Jun 18, 2010, at 7:22 AM, J?nos L?bb wrote:

> Looking the Ethernet traffic I see the routers and switches with their ethernet/MAC address.  However they do not show up in the IP traffic.  When I look the Ethernet frame, I again see the MAC address, but I do not see its IP address.

I.e., a packet from or to a router or switch has the source IP address of the machine that ultimately sent it, not the IP address of the router?  (That is, of course, as it should be.)

> Can Wireshark - or any other program on a Mac - translate a MAC address into an IP ?

There isn't necessarily a permanent mapping between a MAC address and an IP address; a machine might, for example, be using DHCP, and, if it renews a DHCP lease, it might get a different IP address from the one it had before.

That's not likely to happen for a router - but the only way to find out a router's IP address, given its MAC address, would be to either

       1) ask the network administrator what IP address is assigned to the router with an interface with a given MAC address;

       2) send out a Reverse ARP packet, asking what the IP address is for the given MAC address, and hope somebody responds;

       3) hope that some file on your machine has that mapping, or that some network service offers that mapping.

> I looked at man arp, but I do not see it there either and arp -a do not show the router.

"arp -a" will show the IP-to-MAC-address mappings your machine has; if your machine isn't routing traffic through that router, or otherwise communicating with that router, it won't need, and thus probably won't have, an ARP entry for that router.  (If your machine isn't plugged into a network into which that router is also plugged, it almost certainly won't have it.)

> P.S.  How can I capture only routers and Switch traffic and ignore all the workstations and vice versa  ?

You'd have to construct a capture filter that looks for the MAC addresses of the machines whose traffic you want to capture, and doesn't mention the MAC addresses of the machines whose traffic you don't want to capture.



------------------------------

Message: 2
Date: Sat, 19 Jun 2010 15:02:26 -0700
From: Guy Harris <guy@xxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tcpdump
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <20F8055D-002D-4D6E-B57A-EBBF44052458@xxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii


On Jun 18, 2010, at 5:53 PM, Kaushal Shriyan wrote:

> root@host0130:~# tcpdump -r tcpdump
> reading from file tcpdump, link-type EN10MB (Ethernet)
> 13:51:20.256698 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 1460,sackOK,timestamp 2052530663 0,nop,wscale 7>
> 13:51:23.254569 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 1460,sackOK,timestamp 2052530963 0,nop,wscale 7>
> 13:51:29.254568 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 1460,sackOK,timestamp 2052531563 0,nop,wscale 7>
> 13:51:41.254565 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 1460,sackOK,timestamp 2052532763 0,nop,wscale 7>
> 13:52:05.254567 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 1460,sackOK,timestamp 2052535163 0,nop,wscale 7>

Those appear to be repeated retransmissions of the same TCP segment.

> 13:52:35.633372 IP AES-Static-IP.airtel.in.www > host0130.example.com.36825: R 933727155:933727155(0) win 0

That appears to be a RST sent by AES-Static-IP.airtel.in - it doesn't seem to think the connection between host0130.example.com, port 36825, and AES-Static-IP.airtel.in, port 80, exists, even though host0130.example.com does think it exists, as it's sending a TCP segment for that connection.

> 13:52:53.254571 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 1460,sackOK,timestamp 2052539963 0,nop,wscale 7>

host0130.example.com doesn't appear to have understood that AES-Static-IP.airtel is saying "that connection doesn't exist", as it persists in trying to send that TCP segment...

> 13:53:23.464374 IP AES-Static-IP.airtel.in.www > host0130.example.com.36825: R 458396600:458396600(0) win 0

...so AES-Static-IP.airtel.in tries again...

> 13:54:05.420054 IP host0130.example.com.35821 > AES-Static-IP.airtel.in.www: S 714058707:714058707(0) win 5840 <mss 1460,sackOK,timestamp 2052547179 0,nop,wscale 7>

...to no avail.

I don't know what link you're capturing on, but if you're not capturing on a link to which host0130 is directly connected or to which AES-Static-IP.airtel.in is directly connected, I suspect that the traffic from host0130 to AES-Static-IP.airtel.in is getting dropped by some host further along the route (so that the TCP segments it's sending aren't being seen by AES-Static-IP.airtel.in and thus not acked) and that the traffic from AES-Static-IP.airtel.in to host0130 is getting lost by some host further along the route (so that the RSTs it's sending aren't being seen by host0130).


------------------------------

Message: 3
Date: Sat, 19 Jun 2010 22:05:32 +0000
From: capricorn 80 <cool_capricorn80@xxxxxxxxxxx>
Subject: Re: [Wireshark-users] Problems in decoding a VoIP capture
       file.
To: <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <SNT122-W1420B56992A23831CE6BADEEC10@xxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"


Hi!



I am not an expert but I can tell me own thinking. The protocol used by VOIP is RTP but it seems that your trace dont contain any RTP.
Enable the option  Try to Decode RTP outside of conversion from Edit -> preferences - > protocol and then RTP.



Regards,






Date: Fri, 18 Jun 2010 10:10:49 +0530
From: weeshalll@xxxxxxxxx
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Problems in decoding a VoIP capture file.

Hi All,
I was trying to dissect a Voice chat client recently . My understanding is that
Voice data  generally travels over UDP.But i am not able to see any valid
Voice data travelling over UDP.On the contrary i see a couple of  TCP streams
which i suspect would be carrying the actual voice data(192.168.0.230 <--> 64.40.6.80)
.Can anyone tell me whether they are carrying voice over RTP or some other format.My aim is to
extract the voice data from it.Can anyone tell me how should i go about doing it .
Atleast can anyone tell me what audio codec has been used here .I am attaching
the capture file for your reference.


Thanks in advance,
Vishal
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wireshark.org/lists/wireshark-users/attachments/20100619/2745df16/attachment.html

------------------------------

Message: 4
Date: Sun, 20 Jun 2010 11:51:12 +1000
From: Andrew Hood <ajhood@xxxxxxxxx>
Subject: Re: [Wireshark-users] tcpdump
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <4C1D7410.3000906@xxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

Guy Harris wrote:
> On Jun 18, 2010, at 5:53 PM, Kaushal Shriyan wrote:
>
>
>>root@host0130:~# tcpdump -r tcpdump
>>reading from file tcpdump, link-type EN10MB (Ethernet)
>>13:51:20.256698 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 1460,sackOK,timestamp 2052530663 0,nop,wscale 7>
>>13:51:23.254569 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 1460,sackOK,timestamp 2052530963 0,nop,wscale 7>
>>13:51:29.254568 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 1460,sackOK,timestamp 2052531563 0,nop,wscale 7>
>>13:51:41.254565 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 1460,sackOK,timestamp 2052532763 0,nop,wscale 7>
>>13:52:05.254567 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 1460,sackOK,timestamp 2052535163 0,nop,wscale 7>
>
>
> Those appear to be repeated retransmissions of the same TCP segment.
>
>
>>13:52:35.633372 IP AES-Static-IP.airtel.in.www > host0130.example.com.36825: R 933727155:933727155(0) win 0

This is pretty much the behaviour we see when ICMP Frag Required packets
are being blocked. Multiple retransmits of packets followed by an RST.

I've given up trying to get the ICMP packets permitted through our
firewalls - paranoia rules. I slowly reduce the MTU at the server until
the traffic gets delivered. The first MTU to try below 1500 is 1492 -
allowing for a SNAP/LLC header to be added at an ADSL router.

--
There's no point in being grown up if you can't be childish sometimes.
               -- Dr. Who


------------------------------

Message: 5
Date: Sat, 19 Jun 2010 19:08:53 -0700
From: Guy Harris <guy@xxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tcpdump
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <82E41BEC-D24D-4A63-91A7-D82CFED7600A@xxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii


On Jun 19, 2010, at 6:51 PM, Andrew Hood wrote:

> This is pretty much the behaviour we see when ICMP Frag Required packets
> are being blocked. Multiple retransmits of packets followed by an RST.

I.e., path MTU discovery:

       http://en.wikipedia.org/wiki/Path_MTU_discovery

isn't working, because the feedback it depends on (the Fragmentation Required messages) aren't getting through to the sender.


------------------------------

Message: 6
Date: Sat, 19 Jun 2010 19:12:57 -0700
From: Guy Harris <guy@xxxxxxxxxxxx>
Subject: Re: [Wireshark-users] tcpdump
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <FD20ABF1-4E58-44FE-8A38-D0FC399DE912@xxxxxxxxxxxx>
Content-Type: text/plain; charset=us-ascii


On Jun 19, 2010, at 7:08 PM, Guy Harris wrote:

> isn't working, because the feedback it depends on (the Fragmentation Required messages) aren't getting through to the sender.

"...*isn't* getting through to the router".  (It needs to agree with "feedback", not with "messages" in the parenthetical note.)

------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 49, Issue 20
***********************************************