Re: Determining how Wireshark detects T.38

[Guy Harris <guy () alum mit edu>]

On Jun 21, 2016, at 2:17 AM, Rayne <hjazz6 () ymail com> wrote:

> I'm trying to follow the Wireshark source code to find out exactly how Wireshark determines that the layer above UDP 
> or RTP is a T.38 payload. 
>
> I assume that a heuristic dissector is used

Nope.

The RTP dissector gets a dissector handle for the T.38 dissector; that dissector is registered under the name "t38_udp".

If an RTP packet has a version number of 0, the RTP dissector assumes it's not RTP and, based on the setting of a 
preference for the RTP dissector, calls one of:

        the STUN dissector;

        the CLASSIC-STUN dissector;

        the T.38 dissector;

        the SPRT dissector;

        the ZRTP dissector, if the packet has "ZRTP" in bytes 4-8.

In addition, the dissectors for some protocols used in call setup, such as SDP and H.245, can, if they see an 
indication that UDP traffic to and from some port will be T.38 traffic, arrange that said traffic will be dissected as 
T.38.

And, if all else fails, the user can use "Decode As..." (or its command-line equivalent) to specify that UDP traffic to 
or from a particular port be dissected as T.38.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe