This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

rfc 2833 in H.323

0

I'm trying to find DTMF digits in wireshark in H.323 protocol, however I can't find it. Does anybody know what can be done and which filter I should use?

asked 13 Jan '14, 09:45

markkarp's gravatar image

markkarp
1223
accept rate: 0%

Do any of the other questions that come up with a search for dtmf help?

(13 Jan '14, 10:05) grahamb ♦

Not yet. Once step at the time ))

(14 Jan '14, 17:02) markkarp

One Answer:

0

The DTMF in H.323 can be via RFC 2833 (RTP packets) or via H.245 User Input Indication. Most H.323 devices send DTMF as User Input Indications, so I would suggest looking into the H.245 message exchanges. Note, also, that H.245 may be on a separate connection or may be tunneled inside H.225.0.

answered 13 Jan '14, 14:59

paulej's gravatar image

paulej
112
accept rate: 0%

Paul. Thanks a lot for your help. H245 is in H225, so when I use h225.h245.tunneling==1, I see absolutely nothing in the wireshark - not a single packet. All 245 packets are = FALSE. As far as I know there 2 ways to pass DTMF using h245 - control or alphanumeric, unless Avaya came up with something else. However the challenge I have is how to find a filter in the wireshark to display DTMF in h245. If you have any ideas please share it with me. I appreciate your help in advance

(13 Jan '14, 17:06) markkarp

If it's tunneled, you want to look in the h245Control field in H.225.0 for the H.245 message. Then, you'd look for the User Input Indication message. Since you mention that it's an Avaya endpoint, it might be that they are following H.323 Annex F ("Simple Endpoint Type"). Those terminals put DTMF digits inside the H.225.0 "Keypad" information element. See if you see any of those. I'd be happy to look at the Wireshark trace to see if I can find it. You can just email it to my Packetizer address, which you can readily find via Google.

(13 Jan '14, 19:30) paulej