[dirk los <dirk@xxxxxxx>]

I am sniffing H.323 traffic with ethereal already about a half year.  I was 
using a 9.7 version with an extra h.323 plugin.
Spontaneously I experienced that the H.245 messages were not expanded 
anymore, even TPKT wasn't shown, only TCP data.
Also the RTP and RTPC traffic wasn't expanded anymore, just showed as UDP 
traffic

I tried many things:
Uninstalling winpcap and ethereal....reinstalling the latest winpcap and 
ethereal 9.15 (after removing all ethereal directories).
I kept the same problem
The peculiar thing is that old captured files as well as the voip example 
at the ethereal site show well formed H.245 expansions.
So....something strange should be in the capture files.   However the 
captures were made with working telephony calls and I am sure that the not 
expanded H.245 messages were interpreted as such by the telephony 
equipment.   Analysing the byte-string of the TCP-data also showed a well 
formed H.245 message.
However, when I looked after the complete TCP-stream window, the I saw a 
difference.  The 16th byte in the stream showed as a '.' in the packet 
window,  and as a '0' in the stream window.

Has anybody an idea what might be a clue here?
I include screenshots of the packet window as well the stream analysis 
window.  Further I send you the capture file, in which I experienced the 
described problem as well as the not expanded RTP packets.

   
regards
Dirk Los

Attachment: no_h245_and _rtp_expansion.raw
Description: Binary data