Wireshark-dev: Re: [Wireshark-dev] Determining how Wireshark detects T.38
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Rayne <hjazz6@xxxxxxxxx>
Date: Wed, 22 Jun 2016 03:04:16 +0000 (UTC)
So what is the criteria to determine if the T.38 dissector succeeds or fails when the RTP dissector calls it, besides checking if RTPv2 packets were misidentified as RTP in the "dissect_t38_udp()" function?


"In addition, the dissectors for some protocols used in call setup, such as SDP and H.245, can, if they see an indication that UDP traffic to and from some port will be T.38 traffic, arrange that said traffic will be dissected as T.38."

For SDP, is it by comparing the media protocol string with "UDPTL"? 

For H.245, I only see the string comparison between "upcoming_channel_lcl->data_type_str" and "t38fax". What is the name of the field "upcoming_channel_lcl->data_type_str" as displayed in Wireshark?

What about H.225? I don't see any comparisons with any strings containing "t38", but is there a way to tell from H.225 that the traffic is T.38?

Thank you.

Regards,
Rayne


From: Guy Harris <guy@xxxxxxxxxxxx>
To: Rayne <hjazz6@xxxxxxxxx>; Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Sent: Tuesday, June 21, 2016 5:54 PM
Subject: Re: [Wireshark-dev] Determining how Wireshark detects T.38

On Jun 21, 2016, at 2:17 AM, Rayne <hjazz6@xxxxxxxxx> wrote:


> I'm trying to follow the Wireshark source code to find out exactly how Wireshark determines that the layer above UDP or RTP is a T.38 payload.
>
> I assume that a heuristic dissector is used


Nope.

The RTP dissector gets a dissector handle for the T.38 dissector; that dissector is registered under the name "t38_udp".

If an RTP packet has a version number of 0, the RTP dissector assumes it's not RTP and, based on the setting of a preference for the RTP dissector, calls one of:

    the STUN dissector;

    the CLASSIC-STUN dissector;

    the T.38 dissector;

    the SPRT dissector;

    the ZRTP dissector, if the packet has "ZRTP" in bytes 4-8.

In addition, the dissectors for some protocols used in call setup, such as SDP and H.245, can, if they see an indication that UDP traffic to and from some port will be T.38 traffic, arrange that said traffic will be dissected as T.38.

And, if all else fails, the user can use "Decode As..." (or its command-line equivalent) to specify that UDP traffic to or from a particular port be dissected as T.38.