This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Find the sip.call-id of a RTN event ?

0

Hi everybody,

I have a 50 MB pcap file with 80 VoIP captured calls. Only 2 of this VoIP sessions has a RTN (Retrain Negative) response inside, founded using the display filter: t30.FacsimileControl == 50

The question is how can I found automatically the 2 caller IDs of the SIP sessions that contain RTN ? I can found it manualy, opening one by one all the 80 Flow sequences, but I need to automatically analise hundreds of pcap file with thousands of VoIP calls.

Thank you for your precious support,

Serban

asked 26 May '16, 07:13

Serban's gravatar image

Serban
6112
accept rate: 0%


One Answer:

0

MATE is the answer. It allows you to extract some information from both the SIP packets and the RTP (well, udptl as we talk about T.38 here) packets into generated protocol fields added to their dissection trees, and use these generated protocol fields to link together the packets of different protocols which belong to the same VoIP call (and eventually filter on them).

In particular, you would use the connection information (IP address and port) from the SDPs to identify the RTP flow established using those SDPs, and augment each RTP packet with contents of From and To headers (and/or, if you insist, the Call-ID) of the establishing SIP INVITE. So you would again use your display filter t30.FacsimileControl == 50 to show only the udptl packets matching that expression, but the MATE fields added to the dissection tree of these packets would show the contents of the SIP headers as well.

answered 26 May '16, 07:36

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 30 May '16, 04:36

Hi Sindy,

thank you for your fast and accurate answer. I'll start to learn MATE and hope to solve this problem. Kepp you upated. Serban

(26 May '16, 08:54) Serban

@Serban, glad to help. Now something about the house rules (see site FAQ for details):

  • at this site, Answers are only posts which answer the original Question. All the rest are Comments. So I've converted your post accordingly.

  • the idea of this site is to build a Q&A knowledge base. So if you find an Answer helpful, mark it as such ("accept" it) by clicking the checkmark (not "thumbs up") icon next to it. This changes the colour in the list of questions to green, indicating to other people asking the same or similar question that the Question has ever got a useful Answer. So as soon as you solve your task using MATE, please come back and Accept the answer.

(26 May '16, 09:06) sindy

ok Sindy. I'll be back on the topic as soon as I'll do progress on MATE. Thank you

(26 May '16, 09:56) Serban