in wireshark if I go to Telephony -> VoIP calls I get a list of VoIP (MGCP) calls (not all of them with the corresponding RTP packets) In that list I can see the "To" field (dialed number) but I have no clue how to get the same result with TShark. I have inspecte MGCP, and SDP and RTP packets but none of them has this value. asked 15 Sep '15, 15:20  qsebas |
One Answer:
I decided to download the wireshark sourcecode and inspect it to try to figure where the hell is getting this information. The field is "mgcp.param.observedevents" it can be "hd" for a pick-up, numbers (in my case they were sepparated by comma, is why i din't found the numbers in a raw search) or "hu" for a hang-up, or the numbers. What I've read in the protocol specification is that they can come in several mgcp packets and they should be concatened, and also they should be checket against the field "digitMap" interpreted as regexp to see if it is a valid number (or maybe a prefix). But in my case they came allways in a single mgcp packet and the correctness of the number was not part of what i needed. answered 29 Sep '15, 12:34 qsebas |
