Wireshark-users: Re: [Wireshark-users] How to identify voice traffic while passing through unconv
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 6 Jan 2012 12:27:13 -0800
On Jan 6, 2012, at 10:43 AM, Azhar Chowdhury wrote:

> We have been observing there are voice traffic passing unconventional
> protocols such as the DNS, SSL, SSLv3, IPA, RPCAP, RTMP in our ISP
> data pipes.
> To identify this it takes long analysis in wireshark, is there any
> easy way to identify voice data with source & destip using tshark or
> other CLI based tool(s)?

I doubt it.  If people are using tricks such as the voice-over-DNS stuff Dan Kaminsky talked about (stuffing compressed-out-the-wazoo voice into TXT RRs - see slide 28 in the PowerPoint presentation at

	http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-kaminsky/bh-us-04-kaminsky.ppt

), i.e. stuffing voice into protocols not designed for voice, that's probably going to require either an algorithm running in meatware (as in "takes long analysis in Wireshark", presumably meaning "somebody's sitting in front of Wireshark trying to figure out what the heck is going on in the session) or a fairly sophisticated algorithm that could, say, identify Speex-encoded voice stuffed inside DNS TXT RRs.