1 | initial version |
Thanks for the pcap file. From looking at the packets I assume the SIP and MGCP packets are linked through the sip.call_id_generated field by inspecting the media description in the SDP part of the packets. Especially the fields sdp.connection_info
and sdp.media.port
.
As Wireshark uses a 2 pass dissection process, it first runs through all the packets and creates state information. In this state information, a call-id is linked to the media-ip/port from the SDP packets. Then on the second pass, the media-ip/port info in the packet will be used to retrieve the generated call-id.
So in your case, the generated call-id is created in reading the media description from packets 2 and 3 on the first pass. And then when displaying the MGCP packets (the second pass), the media description in the SDP part of the packets is the index to retrieve the generated call-id.