Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-dev: [Ethereal-dev] H323 Call analysis

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Anders Broman" <a.broman@xxxxxxxxx>
Date: Thu, 30 Sep 2004 23:01:32 +0200
Hi,
If you want to see a call chain ( Node A --- Node B --- Node C ) in a
"single call/conversation" I think the only way
to do it is by Checking the calling/called party number in the Q931 Setup
message, get the Call references(CR) from
the Q931 Messages and string it all into the same conversation(max number of
CR:s 16 ?) perhaps it would also be a good idea
to store start and stop frame number, stop frame being after the last
ReleaseComplete as CR:s will be reused. H225 CallId 
isn't present in all messages unfortunately( is it?) so that might not
suffice.

 Perhaps it could also be solved by having Main and Sub conversations. E.g.
using the current conversations and *join* them
in a main conversation ?
This method could also be used to add messages from different protocol. An
in coming call might start off as SCTP/M3UA/ISUP continue to node B as
Q931/h225 or h245 and continue to node C as SIP. It might also be
interesting to connect MEGACO/MGCP control messages in such a conversation
if possible. You might have to add CIC as an address type then as well. 
Then you have the question of media(RTP/RTCP) and
accounting(RADIUS/DIAMETER) messages as well.

I would love to see such a feature as this is the most difficult part today
analysing massive VoIP traces.

Best regards
Anders  
  
> 2. Whenever a h225 packets is seen, it is checked whether it is
already
> part of a conversation (should the word "call" be used instead of
> conversation?) in the list. The check is done using the ip/port pair 
> combination (should we use some other parameters as well - CALL ID?).
If
> not, it is added to the list. At this time we also look for the h.245 
> address which is normally provided in h225 connect message. We need
this
> address to follow the h245 part of the call in case there is no 
> faststart. If h245 packet arrives, it is checked to which call does it 
> belong (based on ip/port) and the counter is increased. If h245 packet 
> is seen without appropriate h225 part, it is skipped (f.e. in case the 
> capturing started after the h225 phase).

Maybe you can also add the calling and called number for voice calls in the
list of "conversations".

Nice tool!

Alejandro



------------------------------
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube