Re: How to identify voice traffic while passing through unconventional protocols such as DNS, SSL, SSLv3, IPA, RPCAP, RTMP

[Guy Harris <guy () alum mit edu>]

On Jan 6, 2012, at 10:43 AM, Azhar Chowdhury wrote:

> We have been observing there are voice traffic passing unconventional
> protocols such as the DNS, SSL, SSLv3, IPA, RPCAP, RTMP in our ISP
> data pipes.
> To identify this it takes long analysis in wireshark, is there any
> easy way to identify voice data with source & destip using tshark or
> other CLI based tool(s)?

I doubt it.  If people are using tricks such as the voice-over-DNS stuff Dan Kaminsky talked about (stuffing 
compressed-out-the-wazoo voice into TXT RRs - see slide 28 in the PowerPoint presentation at

        http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-kaminsky/bh-us-04-kaminsky.ppt

), i.e. stuffing voice into protocols not designed for voice, that's probably going to require either an algorithm 
running in meatware (as in "takes long analysis in Wireshark", presumably meaning "somebody's sitting in front of 
Wireshark trying to figure out what the heck is going on in the session) or a fairly sophisticated algorithm that 
could, say, identify Speex-encoded voice stuffed inside DNS TXT RRs.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe