This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

9641GS phone capture RTP packets

0

I am trying to do some testing of SRTP packets with an Avaya 9641GS phone. I have my computer plugged into the PC port on the phone. I turned on just normal RTP packets and I am not seeing the traffic in wireshark. I am using G711Ulaw 64k codec (just in case it matters). I wanted to show the RTP packets when SRTP was turned off and then no packets when SRTP was used showing it was actually working as intended.

Oddly enough, I saw some RTP traffic but not consistently with an old version of wireshark. I upgraded to 2.2.3 and I do not see any RTP packets anymore. I made sure that Analyze>Enabled Protocols>RDP_UDP along with all the other options for RTP. I feel like I am missing something silly but I can not figure it out for the life of me. Any and all help would be greatly appreciated.

asked 15 Dec '16, 14:27

critchey880's gravatar image

critchey880
6114
accept rate: 0%

edited 15 Dec '16, 14:29


One Answer:

1

You're not going to see the phone's signaling/media traffic by capturing off of the PC port.

Think of that phone as a 3 port switch. The LAN port [1], the PC Port [2], and the internal port for phone application [3]. Unless that particular model has a mirroring/span function, which I don't think it does, you will only see broadcast/multicast traffic from the VoIP application of the phone.

I recommend getting yourself a mirroring switch or TAP. Dualcomm makes a great little switchTAP that won't break the bank.

answered 15 Dec '16, 16:02

Rooster_50's gravatar image

Rooster_50
23891218
accept rate: 15%

edited 15 Dec '16, 16:06

Thanks that is what I missing. My switch does allow mirroring and I was able to see the packets as expected finally. I did notice something off though.

Everything worked exactly as expected using RTP. I saw the packets, captured the phone call, and could play back the audio. The interesting part was when I used SRTP. My understanding was that wireshark could not see the SRTP packets but it actually did see the packets as RTP. It captured the phone call and even allowed me playback. The wavelengths were completely different and the only playback was static.

So my test worked showing that SRTP was working, it just worked in an unexpected way (unexpected by me).

Thanks for the information I appreciate the help.

(16 Dec '16, 08:18) critchey880

SRTP only encrypts the payload (i.e. voice samples). The headers are still there, so Wirehsark is able to interpret the RTP packets.

(16 Dec '16, 09:20) Rooster_50

See here.

(16 Dec '16, 10:01) Jaap ♦