Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Help of Dissecting or Parsing Packets

From: "ARAMBULO, Norman R." <NRARAMBULO@xxxxxxxxxxx>
Date: Mon, 12 Mar 2007 12:06:41 +0800
Thanks anders, actually im new in voip, so do you mean that based on the port, there are specifics action/used for the said ports. When TCP is used,
will I always see a TPKT, how about port 1720? Well one of the vendors showed us a voip dump and we noticed that all transaction has port 1720 and
also the dialled number? Is it possible if we try to filter based on port 1720 we may able to get dialled number? Ill try to attached another file in binary.
Can wireshark dissect proprietary protocols and what vendors are they?
Thanks for your usual support.....
 
Wireshark-users: Re: [Wireshark-users] Help of Dissecting or Parsing Packets

From: "Anders Broman" <a.broman@xxxxxxxxx>
Date: Sun, 11 Mar 2007 21:47:33 +0100
Hi,
It would be more useful to attach the binary file, looking briefly at the trace
It looks like it's not a standard H.323 implementation as port 1718 is used with TCP. ITU rec H.225 says:

"IV.1.1.1 Discovery using multicast address or well-known port
Following the gatekeeper discovery and registration procedures described in clause 7/H.323,
endpoints should use the following multicast address or well known port when attempting to
discover the gatekeeper as appropriate for their network configuration:
232 ITU-T H.225.0 (11/2000)
– UDP Address for multicast communication with gatekeepers: 224.0.1.41
– UDP port for multicast communication with gatekeepers: 1718
– UDP port for unicast RAS communication where no "other agreement" exists: 1719
Note that "other agreement" may include registration of an endpoint with a gatekeeper.
Note that implementations should pay attention to the scope of the multicast so as to not flood the
Internet with discovery messages.
Assuming a gatekeeper has an IP address for example of 134.134.12.1, the following signalling may
occur:
– LRQ or GRQ arrives at 134.134.12.1: port 1719;
– LRQ or GRQ arrives at 134.134.12.1: port 1718 (note that this may occur with v1 GKs);
– LRQ or GRQ arrives at 224.0.1.41: port 1718.
The gatekeeper may transmit an LRQ to the following addresses:
− 224.0.1.41: port 1718 (multicast to all GKs);
− X.X.X.X: port 1719 (to a specific GK).
Port 1719 should only be used when a request is sent unicast. This allows the receiver to know
whether it should send a reject (xRJ) to the sender (it should in all cases).
Port 1718 should only be used when a request is sent multicast. The receiver should respond with the
appropriate response, depending on the message. For LRQ no reject required, the receiver does not
reply for multicast requests. For GRQ, a directed GRJ should be sent to the source of the GRQ."

In addition H.225 over TCP should use TPKT which seems not to be the case here. What vendor is supplying
The VoIP equipment? Cisco? If so you could ask them what protocol is being used.
Best regards
Anders




 "Reality is merely an illusion, albeit a very persistent one."

                                                                                                                -- Albert Einstein