Wireshark-users: Re: [Wireshark-users] Help of Dissecting or Parsing Packets
From: "Anders Broman" <a.broman@xxxxxxxxx>
Date: Sun, 11 Mar 2007 21:47:33 +0100
Hi, It would be more useful to attach the binary file, looking briefly at the trace It looks like it's not a standard H.323 implementation as port 1718 is used with TCP. ITU rec H.225 says: "IV.1.1.1 Discovery using multicast address or well-known port Following the gatekeeper discovery and registration procedures described in clause 7/H.323, endpoints should use the following multicast address or well known port when attempting to discover the gatekeeper as appropriate for their network configuration: 232 ITU-T H.225.0 (11/2000) – UDP Address for multicast communication with gatekeepers: 224.0.1.41 – UDP port for multicast communication with gatekeepers: 1718 – UDP port for unicast RAS communication where no "other agreement" exists: 1719 Note that "other agreement" may include registration of an endpoint with a gatekeeper. Note that implementations should pay attention to the scope of the multicast so as to not flood the Internet with discovery messages. Assuming a gatekeeper has an IP address for example of 134.134.12.1, the following signalling may occur: – LRQ or GRQ arrives at 134.134.12.1: port 1719; – LRQ or GRQ arrives at 134.134.12.1: port 1718 (note that this may occur with v1 GKs); – LRQ or GRQ arrives at 224.0.1.41: port 1718. The gatekeeper may transmit an LRQ to the following addresses: − 224.0.1.41: port 1718 (multicast to all GKs); − X.X.X.X: port 1719 (to a specific GK). Port 1719 should only be used when a request is sent unicast. This allows the receiver to know whether it should send a reject (xRJ) to the sender (it should in all cases). Port 1718 should only be used when a request is sent multicast. The receiver should respond with the appropriate response, depending on the message. For LRQ no reject required, the receiver does not reply for multicast requests. For GRQ, a directed GRJ should be sent to the source of the GRQ." In addition H.225 over TCP should use TPKT which seems not to be the case here. What vendor is supplying The VoIP equipment? Cisco? If so you could ask them what protocol is being used. Best regards Anders ________________________________________ Från: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] För ARAMBULO, Norman R. Skickat: den 9 mars 2007 10:23 Till: Wireshark-Users (E-mail) Ämne: [Wireshark-users] Help of Dissecting or Parsing Packets Hi anders, How do I attached the sample files? Can I put it on as wireshark verbose? Pls see below files. Thanks No. Time Source Destination Protocol Info 116498 2007-02-23 14:55:00.564621 84.138.215.62 192.168.2.1 TCP 13644 > 1718 [PSH, ACK] Seq=0 Ack=0 Win=64290 Len=558 Frame 116498 (612 bytes on wire, 612 bytes captured) Arrival Time: Feb 23, 2007 14:55:00.564621000 [Time delta from previous packet: 0.268562000 seconds] [Time since reference or first frame: 50.246306000 seconds] Frame Number: 116498 Packet Length: 612 bytes Capture Length: 612 bytes [Frame is marked: False] [Protocols in frame: eth:ip:tcp:data] Ethernet II, Src: Cisco_40:cb:40 (00:13:80:40:cb:40), Dst: Cisco_1c:46:24 (00:11:20:1c:46:24) Destination: Cisco_1c:46:24 (00:11:20:1c:46:24) Address: Cisco_1c:46:24 (00:11:20:1c:46:24) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: Cisco_40:cb:40 (00:13:80:40:cb:40) Address: Cisco_40:cb:40 (00:13:80:40:cb:40) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: 84.138.215.62 (84.138.215.62), Dst: 192.168.2.1 (192.168.2.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 598 Identification: 0xf9b8 (63928) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 116 Protocol: TCP (0x06) Header checksum: 0xa9be [correct] [Good: True] [Bad : False] Source: 84.138.215.62 (84.138.215.62) Destination: 192.168.2.1 (192.168.2.1) Transmission Control Protocol, Src Port: 13644 (13644), Dst Port: 1718 (1718), Seq: 0, Ack: 0, Len: 558 Source port: 13644 (13644) Destination port: 1718 (1718) Sequence number: 0 (relative sequence number) [Next sequence number: 558 (relative sequence number)] Acknowledgement number: 0 (relative ack number) Header length: 20 bytes Flags: 0x18 (PSH, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 64290 Checksum: 0x004b [correct] Data (558 bytes) 0000 86 9c d1 c0 7f ec af 56 95 d2 73 1b 44 17 1f 6e .......V..s.D..n 0010 07 f0 24 bf 2b 15 c9 4f 01 f3 5e 03 35 c7 c0 A8 ..$.+..O..^.5... 0020 9e 02 01 3f aa 5d 53 0e 9c ab 26 ea f5 e9 ab 38 ...?.]S...&....8 0030 0d 8c 95 89 69 43 9a 35 18 b2 25 8f e7 79 5f 12 ....iC.5..%..y_. 0040 e0 5e 2a 06 2c cf 90 2f 87 18 37 f7 42 b4 95 c0 .^*.,../..7.B... 0050 7c cc ee 8a 6c 28 a5 5b da 73 e7 23 88 65 89 0d |...l(.[.s.#.e.. 0060 39 5e 03 ed a9 14 be 93 62 9a 4e 94 eb 4f 41 a2 9^......b.N..OA. 0070 39 ad c9 00 46 06 c2 92 a6 a5 45 a3 13 a4 bc c7 9...F.....E..... 0080 90 e4 e9 b7 21 83 e9 06 cf 43 cd 00 80 ad c3 b5 ....!....C...... 0090 e0 7d 0b d5 32 77 91 1d 3c b0 1e 1e 26 56 5f 07 .}..2w..<...&V_. 00a0 3b e7 4d 22 28 92 a9 3f c9 2d 5e c7 41 bc b0 31 ;.M"(..?.-^.A..1 00b0 3e 06 41 b8 fc 1e 02 07 10 0c 4b db 8d 56 a8 6c >.A.......K..V.l 00c0 f1 aa b0 78 08 20 67 bb 55 2b 28 9a e0 b5 82 8a ...x. g.U+(..... 00d0 5c c6 d0 ea 0c 8e 06 11 5b 70 12 c0 d0 6a 83 04 \.......[p...j.. 00e0 21 2d 35 0e a6 c1 51 22 e0 51 25 f5 2b 62 f0 9d !-5...Q".Q%.+b.. 00f0 b3 de 24 f6 11 4a af 5e 06 40 ba 3a 08 53 3c 4c ..$..J.^.@.:.S<L 0100 2e 61 54 0b 9b 25 c6 5a 7c 30 e7 9e 7b c0 84 4e .aT..%.Z|0..{..N 0110 98 ba 2c 69 58 78 3f 64 74 66 a1 db 87 7a 04 af ..,iXx?dtf...z.. 0120 23 f6 ff 37 87 3e ff f0 e3 7d fd f0 3a f7 3e ff #..7.>...}..:.>. 0130 68 61 b6 79 ff 0c 57 db a7 fc 37 cf d5 7d 3e ed ha.y..W...7..}>. 0140 7f 80 ed e9 0a 88 cf b3 1b 7e 1f bd 87 fb b1 12 .........~...... 0150 84 77 02 3d 05 b2 d9 df c3 d4 fe 38 0f a5 0e 25 .w.=.......8...% 0160 a5 4e 4e 1c 47 27 2b a9 fd e0 3e df f3 af 4b 6a .NN.G'+...>...Kj 0170 83 de d3 9a 97 40 3f 88 99 05 2e fe 47 bb 78 76 .....@?.....G.xv 0180 72 d3 fe a3 87 3d 87 df 00 6e ed e8 d5 a9 3d 46 r....=...n....=F 0190 6c fa c7 50 1f d0 8d 82 f7 53 91 29 ec 83 0c db l..P.....S.).... 01a0 90 f3 bd af 99 af cd 80 db e4 23 d8 13 e8 7a 7c ..........#...z| 01b0 26 df 81 fd 25 3a d7 5c 28 d6 9d 95 b0 fe ec 8c &...%:.\(....... 01c0 3f b5 63 f4 f8 80 21 d3 b3 01 ff c3 f7 69 f9 22 ?.c...!......i." 01d0 ef e9 16 03 c7 23 ab 0f dd f4 ff 1d 80 fa 80 92 .....#.......... 01e0 a0 24 a9 40 4a f4 18 ed 87 60 1f bc e0 b5 e7 2b .$.@J....`.....+ 01f0 cc 74 05 ad 0a c8 b4 2f de 03 f2 40 ed 39 68 df .t...../[email protected]. 0200 f0 ed 94 e4 0c fb d8 71 b3 f6 80 cd c8 31 9c b7 .......q.....1.. 0210 0e 78 e8 03 77 16 a7 67 90 fc 1e ca 3b d8 84 87 .x..w..g....;... 0220 3f 40 7e ad e1 fc e9 80 ba e8 38 79 41 26 ?@~.......8yA& "Reality is merely an illusion, albeit a very persistent one." -- Albert Einstein
- References:
- [Wireshark-users] Help of Dissecting or Parsing Packets
- From: ARAMBULO, Norman R.
- [Wireshark-users] Help of Dissecting or Parsing Packets
- Prev by Date: [Wireshark-users] Adapter for generic dialup
- Next by Date: [Wireshark-users] Help of Dissecting or Parsing Packets
- Previous by thread: [Wireshark-users] Help of Dissecting or Parsing Packets
- Next by thread: [Wireshark-users] Help of Dissecting or Parsing Packets
- Index(es):