Wireshark-dev: Re: [Wireshark-dev] Determining how Wireshark detects T.38

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 21 Jun 2016 20:18:13 -0700
On Jun 21, 2016, at 8:04 PM, Rayne <hjazz6@xxxxxxxxx> wrote:

> So what is the criteria to determine if the T.38 dissector succeeds or fails when the RTP dissector calls it, besides checking if RTPv2 packets were misidentified as RTP in the "dissect_t38_udp()" function?

There isn't one.  It's just called, and its return value is ignored.  There's a comment before one of the calls that reads /* XXX: Should really be calling a heuristic dissector for T38 ??? */, but that's not what's happening now.

> "In addition, the dissectors for some protocols used in call setup, such as SDP and H.245, can, if they see an indication that UDP traffic to and from some port will be T.38 traffic, arrange that said traffic will be dissected as T.38."
> 
> For SDP, is it by comparing the media protocol string with "UDPTL"?

Among other things, yes.  There are some additional tests done in addition to that one.

> For H.245, I only see the string comparison between "upcoming_channel_lcl->data_type_str" and "t38fax". What is the name of the field "upcoming_channel_lcl->data_type_str" as displayed in Wireshark?

It's set from the global (ick) variable "codec_type", which is set from DataApplicationCapability and/or DataMode in the H.245 packet.

> What about H.225? I don't see any comparisons with any strings containing "t38", but is there a way to tell from H.225 that the traffic is T.38?

Wireshark currently doesn't do that.