This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can see RTP stream but couldn’t found SIP or H.323

0

I am trying to analyze some voip traffic in Wireshark. But all I could see are small UDP packets; some containing RTP streams and I can see various codec information like G.711, G.723 etc. But there is no sign of SIP or any other signaling packets. Is it possible to hide SIP or H323 signalling within UDP packets in a way which are undetectable to Wireshark? or STUN can do some encoding to hide signalling packets?

asked 25 Sep '13, 09:38

rousseau's gravatar image

rousseau
1112
accept rate: 0%

edited 25 Sep '13, 10:14


One Answer:

0

Is it possible to hide SIP or H323 signalling within UDP packets in a way which are undetectable to Wireshark?

the easiest way to "hide" SIP messages from Wireshark is to use a non-standard port, as Wireshark detects SIP basically by its ports (5060 and 5061 for secure SIP).

You can change (extend) the ports

Edit -> Preferences -> Protocols -> SIP -> SIP TCP Ports / SIP TLS Ports

However, you will have to know the port then. One way would be to search for string typically contained in SIP messages.

frame contains "INVITE"

or

frame contains "REGISTER"

However, this will only work for unencrypted SIP. In the case of encrypted SIP, you'll have to wade through the traffic manually to figure out the port.

BTW: If there is no SIP/H.323 traffic in you capture file, it may well be missing, because it was not recorded in the first place ;-))

Regards
Kurt

answered 29 Sep '13, 09:33

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%