This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

While running a pcap on a Samsung VoIP set, I saw that packets that I know were part of an audio stream were simply identified as UDP and not rtp. A closer look showed 2 IP headers, the first one was in the usual place and the second was sandwiched between the data portion and another part of the header shown as "Packet Cable Lawful Intercept" with a CCCID of 2147499140 (reminded me of a phone number). Ports involved were udp 9000 & 30004. I know that 30000 through 300083 are being used for the rtp/rtcp and I also saw that WS will dissect 9000 as pcli but will it also put in a specific WAN and CCID number as well? Occasionally the second IP header would have a public address and other times a normal broadcast address.

Has anyone else run into this and Is this what I think it is? [play scary/dramatic music here .....]

asked 04 Apr '13, 23:11

EricKnaus's gravatar image

EricKnaus
46192026
accept rate: 0%


Packet Cable Lawful Intercept is a protocol that runs on port 9000 and therefor Wireshark interprets the packets as PCLI. Select one of the packets and rightclick on the "PCLI" header in the packet details pane. You can then choose "Disable Prototol".

permanent link

answered 05 Apr '13, 00:22

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Go to preferences, look for the RTP dissector settings and check 'Try to decode RTP outside of conversations'.

permanent link

answered 04 Apr '13, 23:45

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks guys - I did all that already and WS will still not read it as an rtp stream. I've looked at a lot of SIP pcaps (NEC, Astrisk, Shoretel, Panasonic, hosted SIP, etc) and have not seen this before. Normally it's 5060 (or something close to it) and the then the media streams on higher ports. Here, it's 6000 for their signaling (which still does not decode as SIP even though I put it in preferences) and then 9000 for one side and 30000 to 30083 for the other side with two IP headers embedded in the packet as described earlier. If WS were simply interpreting this as a default, then why am I seeing the pcli fields filled in with a value not in brackets - eg "[CCID: 2147499133 ]"? And what's with the second IP address that actually resolves to something and appears in the Source/Destination field in the packet list screen instead of the first IP header (this happens just as the supposed rtp stream starts btw)? My concern is that the manufacturer has defaulted to this port (9000) in order to be compliant with some of the federal gov. access laws started in 2007 which would allow the traffic to be siphoned off to a surveillance group that is not necessarily .... friendly or secure. Just seems fishy to me.

(05 Apr '13, 07:07) EricKnaus
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×139
×4

question asked: 04 Apr '13, 23:11

question was seen: 6,480 times

last updated: 05 Apr '13, 07:07

p​o​w​e​r​e​d by O​S​Q​A