Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Ethereal-dev: Re: [Ethereal-dev] H323 Call analysis

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Lars Roland <Lars.Roland@xxxxxxx>
Date: Thu, 30 Sep 2004 23:50:37 +0200
Anders Broman schrieb:

Hi,
If you want to see a call chain ( Node A --- Node B --- Node C ) in a
"single call/conversation" I think the only way
to do it is by Checking the calling/called party number in the Q931 Setup
message, get the Call references(CR) from
the Q931 Messages and string it all into the same conversation(max number of
CR:s 16 ?) perhaps it would also be a good idea
to store start and stop frame number, stop frame being after the last
ReleaseComplete as CR:s will be reused. H225 CallId isn't present in all messages unfortunately( is it?) so that might not 
suffice.
AFAIK The Call ID is present in all CS Messages related to a call. It is also present in all RAS requests related to a call. We have already a function in packet-h225.c to get the corresponding RAS response. To get all h245 and rtp/rtcp messages for a call, we should use the information from h225 messages (ip adress and port number for h245 messages an rtp/rtcp packets). It would be good to have a start frame number and a stop frame number for h245 and rtp/rtcp. Perhaps the best way is to improve the conversation stuff for dissectors including a start and a stop frame number. When the dissector stuff is able to locate all messages for a specific call, then we could just reuse the information for the tap. 

I will work on that.


 Perhaps it could also be solved by having Main and Sub conversations. E.g.
using the current conversations and *join* them
in a main conversation ?
This method could also be used to add messages from different protocol. An
in coming call might start off as SCTP/M3UA/ISUP continue to node B as
Q931/h225 or h245 and continue to node C as SIP. It might also be
interesting to connect MEGACO/MGCP control messages in such a conversation
if possible. You might have to add CIC as an address type then as well. Then you have the question of media(RTP/RTCP) and 
accounting(RADIUS/DIAMETER) messages as well.

I would love to see such a feature as this is the most difficult part today
analysing massive VoIP traces.
Yes this would be a great feature. Unfortunately it usually not possible to match call legs using different VoIP protocols because a unique field is missing. e.g. only the h323/sip gateway application usually knows which sip and which h323 call belong to the same call. Sometimes you have the chance to use the phone numbers, but there is no guarantee. 

Regards,
Lars
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube