Re: Determining how Wireshark detects T.38

[Rayne <hjazz6 () ymail com>]

So what is the criteria to determine if the T.38 dissector succeeds or fails when the RTP dissector calls it, besides 
checking if RTPv2 packets were misidentified as RTP in the "dissect_t38_udp()" function?

"In addition, the dissectors for some protocols used in call setup, such as SDP and H.245, can, if they see an 
indication that UDP traffic to and from some port will be T.38 traffic, arrange that said traffic will be dissected as 
T.38."
For SDP, is it by comparing the media protocol string with "UDPTL"? 
For H.245, I only see the string comparison between "upcoming_channel_lcl->data_type_str" and "t38fax". What is the 
name of the field "upcoming_channel_lcl->data_type_str" as displayed in Wireshark?
What about H.225? I don't see any comparisons with any strings containing "t38", but is there a way to tell from H.225 
that the traffic is T.38?
Thank you.
Regards,Rayne

      From: Guy Harris <guy () alum mit edu>
 To: Rayne <hjazz6 () ymail com>; Developer support list for Wireshark <wireshark-dev () wireshark org> 
 Sent: Tuesday, June 21, 2016 5:54 PM
 Subject: Re: [Wireshark-dev] Determining how Wireshark detects T.38
   
On Jun 21, 2016, at 2:17 AM, Rayne <hjazz6 () ymail com> wrote:

> I'm trying to follow the Wireshark source code to find out exactly how Wireshark determines that the layer above UDP 
> or RTP is a T.38 payload. 
>
> I assume that a heuristic dissector is used

Nope.

The RTP dissector gets a dissector handle for the T.38 dissector; that dissector is registered under the name "t38_udp".

If an RTP packet has a version number of 0, the RTP dissector assumes it's not RTP and, based on the setting of a 
preference for the RTP dissector, calls one of:

    the STUN dissector;

    the CLASSIC-STUN dissector;

    the T.38 dissector;

    the SPRT dissector;

    the ZRTP dissector, if the packet has "ZRTP" in bytes 4-8.

In addition, the dissectors for some protocols used in call setup, such as SDP and H.245, can, if they see an 
indication that UDP traffic to and from some port will be T.38 traffic, arrange that said traffic will be dissected as 
T.38.

And, if all else fails, the user can use "Decode As..." (or its command-line equivalent) to specify that UDP traffic to 
or from a particular port be dissected as T.38.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe