I am trying to decode a GRQ from an IP Phone, modified by a PIX firewall. Here's the frame decode.
H.225.0 RAS
RasMessage
RasMessage: .000 00.. : gatekeeperRequest (0)
GatekeeperRequest
RequestSeqNum: 4431
ProtocolIdentifier: 0.0.8.2250.0.2
rasAddress
rasAddress: .000 .... : ipAddress (0)
ipAddress
IP: 198.67.56.129 (198.67.56.129)
Port: 34369
EndPointType
TerminalInfo
mc: .0.. .... False
undefinedNode: ..0. .... False
endpointAlias
Item 0
AliasAddress
AliasAddress: .0.. .... : dialedDigits (0)
privateNumberDigits: 1000101200
Item 1
AliasAddress
AliasAddress: .1.. .... : h323ID (1)
h323ID: iicus-120
0000 00 60 97 57 42 45 00 03 e4 16 68 00 08 00 45 00 .`.WBE....h...E.
0010 00 4f 00 56 00 00 7f 11 3d d3 c6 43 38 81 c6 43 .O.V....=..C8..C
0020 38 6d 86 41 06 b7 00 3b 36 5f 00 20 11 4e 06 00 8m.A...;6_. .N..
0030 08 91 4a 00 02 00 c6 43 38 81 86 41 02 00 02 04 ..J....C8..A....
0040 80 43 33 43 45 33 40 08 00 69 00 69 00 63 00 75 [email protected]
0050 00 73 00 2d 00 31 00 32 00 30 0e 02 00 .s.-.1.2.0...
There's a byte position #43 that changes from 0x02 to 0x00 while traversing PIX.
I cannot find what this byte is and it's not decoded in Ethereal.
Ali N. Arman
Sr. Systems Engineer
Cirilium, Inc.
(480) 317-1014