What about using something like SNORT with some custom rules to look at the traffic and kick out alerts when things don't make sense / match a pattern.
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Friday, January 06, 2012 3:27 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] How to identify voice traffic while passing through unconventional protocols such as DNS, SSL, SSLv3, IPA, RPCAP, RTMP
On Jan 6, 2012, at 10:43 AM, Azhar Chowdhury wrote:
> We have been observing there are voice traffic passing unconventional
> protocols such as the DNS, SSL, SSLv3, IPA, RPCAP, RTMP in our ISP
> data pipes.
> To identify this it takes long analysis in wireshark, is there any
> easy way to identify voice data with source & destip using tshark or
> other CLI based tool(s)?
I doubt it. If people are using tricks such as the voice-over-DNS stuff Dan Kaminsky talked about (stuffing compressed-out-the-wazoo voice into TXT RRs - see slide 28 in the PowerPoint presentation at
http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-kaminsky/bh-us-04-kaminsky.ppt
), i.e. stuffing voice into protocols not designed for voice, that's probably going to require either an algorithm running in meatware (as in "takes long analysis in Wireshark", presumably meaning "somebody's sitting in front of Wireshark trying to figure out what the heck is going on in the session) or a fairly sophisticated algorithm that could, say, identify Speex-encoded voice stuffed inside DNS TXT RRs.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
