Wireshark mailing list archives
Re: How to identify voice traffic while passing through unconventional protocols such as DNS, SSL, SSLv3, IPA, RPCAP, RTMP
From: <Tim.Poth () bentley com>
Date: Fri, 6 Jan 2012 15:43:06 -0500
What about using something like SNORT with some custom rules to look at the traffic and kick out alerts when things don't make sense / match a pattern. -----Original Message----- From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Guy Harris Sent: Friday, January 06, 2012 3:27 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] How to identify voice traffic while passing through unconventional protocols such as DNS, SSL, SSLv3, IPA, RPCAP, RTMP On Jan 6, 2012, at 10:43 AM, Azhar Chowdhury wrote:
We have been observing there are voice traffic passing unconventional protocols such as the DNS, SSL, SSLv3, IPA, RPCAP, RTMP in our ISP data pipes. To identify this it takes long analysis in wireshark, is there any easy way to identify voice data with source & destip using tshark or other CLI based tool(s)?
I doubt it. If people are using tricks such as the voice-over-DNS stuff Dan Kaminsky talked about (stuffing
compressed-out-the-wazoo voice into TXT RRs - see slide 28 in the PowerPoint presentation at
http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-kaminsky/bh-us-04-kaminsky.ppt
), i.e. stuffing voice into protocols not designed for voice, that's probably going to require either an algorithm
running in meatware (as in "takes long analysis in Wireshark", presumably meaning "somebody's sitting in front of
Wireshark trying to figure out what the heck is going on in the session) or a fairly sophisticated algorithm that
could, say, identify Speex-encoded voice stuffed inside DNS TXT RRs.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- How to identify voice traffic while passing through unconventional protocols such as DNS, SSL, SSLv3, IPA, RPCAP, RTMP Azhar Chowdhury (Jan 06)
- Re: How to identify voice traffic while passing through unconventional protocols such as DNS, SSL, SSLv3, IPA, RPCAP, RTMP Guy Harris (Jan 06)
- Re: How to identify voice traffic while passing through unconventional protocols such as DNS, SSL, SSLv3, IPA, RPCAP, RTMP Tim.Poth (Jan 06)
- Re: How to identify voice traffic while passing through unconventional protocols such as DNS, SSL, SSLv3, IPA, RPCAP, RTMP Seth Hall (Jan 06)
- Re: How to identify voice traffic while passing through unconventional protocols such as DNS, SSL, SSLv3, IPA, RPCAP, RTMP Guy Harris (Jan 06)