Re: Determining how Wireshark detects T.38

[Guy Harris <guy () alum mit edu>]

On Jun 21, 2016, at 8:04 PM, Rayne <hjazz6 () ymail com> wrote:

> So what is the criteria to determine if the T.38 dissector succeeds or fails when the RTP dissector calls it, besides 
> checking if RTPv2 packets were misidentified as RTP in the "dissect_t38_udp()" function?

There isn't one.  It's just called, and its return value is ignored.  There's a comment before one of the calls that 
reads /* XXX: Should really be calling a heuristic dissector for T38 ??? */, but that's not what's happening now.

> "In addition, the dissectors for some protocols used in call setup, such as SDP and H.245, can, if they see an 
> indication that UDP traffic to and from some port will be T.38 traffic, arrange that said traffic will be dissected 
> as T.38."
>
> For SDP, is it by comparing the media protocol string with "UDPTL"?

Among other things, yes.  There are some additional tests done in addition to that one.

> For H.245, I only see the string comparison between "upcoming_channel_lcl->data_type_str" and "t38fax". What is the 
> name of the field "upcoming_channel_lcl->data_type_str" as displayed in Wireshark?

It's set from the global (ick) variable "codec_type", which is set from DataApplicationCapability and/or DataMode in 
the H.245 packet.

> What about H.225? I don't see any comparisons with any strings containing "t38", but is there a way to tell from 
> H.225 that the traffic is T.38?

Wireshark currently doesn't do that.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe