Wireshark-dev: Re: [Wireshark-dev] "Track Context" in H248
From: "Luis Ontanon" <[email protected]>
Date: Wed, 11 Apr 2007 16:42:00 +0200
H.248.1 p. 8.3 (Messages) states:
" An H.248.1 entity (MG/MGC) must consistently use the same MID in all
messages it originates for the duration of control association with
the peer (MGC/MG). "

But using the MID only might not suffice as we'll know only the
message sender, there's no simple way to know who's the recipient (we
are a protocol analyzer not an MGC or MGw we cannot assume to only
receive messages for a specific MGC/MGw). We could create a mapping
based on the assumption that if there's a mId for a trxReq the  mId of
the mess containing the trxReply with the same trxId would be the
peer, but that would make even more complex code that is already

I have used it with packets coming from logs of a MGw, no address
whatsoever, just GCP. It worked because all the packets regarded a
single MGw that won't duplicate context Ids and trxIds just happened
to be unique so the "NONE-NONE" address pair was OK to create unique


On 4/11/07, Roger Mahler <[email protected]> wrote:
Hi Luis and the other H248 experts

let me ask differently:
Would it be possible to trace a context entirely by looking just at the H248
 The mId identifies the originator of a message: (i.e. the MGC in case of
(most of) the Request messages and the MGW in case of (most of) the Reply
Will I be able to extract exactly my TWO mIds (including transactionId and
contextId) and use these as correlation keys OR (and this is my actual
question) can these mIds change in the course of a call?


> Depends,
> once the context is set up lower, higher addresses and context-id.
> if the contextid is choose it uses another table with the
> transactionid instead to bind the first transaction.
> in current svn the code used to track the context is in epan/gcp.[ch]
> it was in packet-h248.c till the last release.
> On 4/6/07, Roger Mahler <[email protected] > wrote:
 >> Hello
>> what's Wireshark using as key to track contexts in H248?
>> Cheers,
>> Roger

Wireshark-dev mailing list
[email protected]

This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan