Maybe it's just the Cisco RLM dissector getting a "false positive"; almost all the packets appear not to be LAPD-over-UDP, even if the dissector is treating them as such, given all the errors in the dissection. To quote a comment in that dissector:
The heuristic dissector's check is pretty weak - it just checks whether what would be the control field if the packet were LAPD-over-UDP looks "good enough", which could just mean that the first byte of the payload doesn't happen to have both bits set. That extremely weak check isn't done for arbitrary UDP traffic, but it is done where the source and destination port numbers are the same and are between 3001 and 3015.
Unfortunately, there's no way to disable that dissector. Perhaps we should add a way to disable it and should also attempt to strengthen the heuristic.
answered 26 Jun '12, 14:56
Guy Harris ♦♦
Could be some kind of VoIP solution. See here: http://wiki.wireshark.org/Q.931
Can you identify the device that used IP 192.168.0.254? Based on that information you might get an idea what generates Q.931 traffic (like a PBX with IP interface).
answered 26 Jun '12, 12:51
Q.931 is typically one layer below H.225 (H.323 VoIP signalling), unless you have some TDM traffic captured from a specialist TDM (ISDN) analyser, such as MtyEye.
The .255 address will be the broadcast address assuming the mask is 255.255.255.0 and .254 may well be the default gateway (hence Cisco MAC).
However, I cannot see why Q.931 traffic would be targetting the broadcast address.
What is the subnet mask?
answered 26 Jun '12, 14:32
Are you running Wireshark V1.8.0, if so, could it be worth checking the ISDN preference to ensure it is set to LAPD. There were some changes made by Guy in this area?
answered 27 Jun '12, 06:16