I am trying to analyze some voip traffic in Wireshark. But all I could see are small UDP packets; some containing RTP streams and I can see various codec information like G.711, G.723 etc. But there is no sign of SIP or any other signaling packets. Is it possible to hide SIP or H323 signalling within UDP packets in a way which are undetectable to Wireshark? or STUN can do some encoding to hide signalling packets? asked 25 Sep '13, 09:38  rousseau edited 25 Sep '13, 10:14 |
One Answer:
the easiest way to "hide" SIP messages from Wireshark is to use a non-standard port, as Wireshark detects SIP basically by its ports (5060 and 5061 for secure SIP). You can change (extend) the ports
However, you will have to know the port then. One way would be to search for string typically contained in SIP messages.
or
However, this will only work for unencrypted SIP. In the case of encrypted SIP, you'll have to wade through the traffic manually to figure out the port. BTW: If there is no SIP/H.323 traffic in you capture file, it may well be missing, because it was not recorded in the first place ;-)) Regards answered 29 Sep '13, 09:33  Kurt Knochner ♦ |
