Detect H.323 by simple sniffing?
https://stackoverflow.com/questions/1555287
-
20-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Is it possible to detect if a H.323 connection (phone call) is up by simple sniffing traffic on an adjacent node?
Solution
The most effective way seems to sniff all the TCP traffic to 1719 (RAS) and 1720 (H.225 signaling) port. You get signaling with high probability. Other ways are much harder.
Other alternative:
- Check new TCP connections with TPKT traffic right from the start.
- If header is good (4 bytes to check) and PDU seems reasonable size you need to decode this as H.225 signaling (ASN1) this is not so simple and relative resource consuming operation.
The worst thing you can face is H.235 security with signaling protected. Almost nothing will help you in this case ;).
OTHER TIPS
if you only catch 1719 (RAS) and 1720 (H.225 signaling), you will miss and H.245 if there is an H.245 session which is negotiated dynamically.
I would suggest you that captured all TCP sessions and UDP 1719 sessions between caller/caller/gate-keepers.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
