Ask Your Question

How does wireshark keep track of sip.call_id_generated in mgcp packets?

asked 2019-10-18 07:23:56 +0000

Sip/sdp packets contain a field sip.call_id_generated which is even kept track of in mgcp/sdp packets but cannot be found inside raw bytes of mgcp/sdp packets. How does wireshark keep track of it then?

edit retag flag offensive close merge delete


Do you have an example capture to check this with? (captures can't be uploaded to, but you can upload one to a public file sharing service (like onedrive, dropbox, google drive, etc) and share the link here. Please make sure there is no sensitive information in the capture file.

SYN-bit gravatar imageSYN-bit ( 2019-10-18 08:22:41 +0000 )edit

Yeah here's a link to the pcap.

ShahRukh gravatar imageShahRukh ( 2019-10-18 08:47:32 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2019-10-18 09:59:23 +0000

SYN-bit gravatar image

Thanks for the pcap file. From looking at the packets I assume the SIP and MGCP packets are linked through the sip.call_id_generated field by inspecting the media description in the SDP part of the packets. Especially the fields sdp.connection_info and

As Wireshark uses a 2 pass dissection process, it first runs through all the packets and creates state information. In this state information, a call-id is linked to the media-ip/port from the SDP packets. Then on the second pass, the media-ip/port info in the packet will be used to retrieve the generated call-id.

So in your case, the generated call-id is created in reading the media description from packets 2 and 3 on the first pass. And then when displaying the MGCP packets (the second pass), the media description in the SDP part of the packets is the index to retrieve the generated call-id.

edit flag offensive delete link more


Oh thanks. So this means the only reason we're seeing the generated call id in MGCP is because of Wiresharks 2 pass process. So if someone wants to trace an MGCP call manually he will have to keep track of it using sdp.connection_info and

ShahRukh gravatar imageShahRukh ( 2019-10-18 11:26:07 +0000 )edit

Not sure what you mean by manually. If you mean with tshark, then you can add the -2 option to make it do a 2-pass dissection too. With other tools you indeed need to track the call setup and rtp yourself using the IP and PORT information from the SDP part of the packets.

SYN-bit gravatar imageSYN-bit ( 2019-10-18 12:25:03 +0000 )edit

Sorry for the delay. By manually I mean I am using DPDK to create my own application for recognizing calls made using MGCP but I couldn't figure out how to keep track of a single call and also the correlation between MGCP and SIP.

ShahRukh gravatar imageShahRukh ( 2019-10-21 06:34:27 +0000 )edit

As I do not have any experience with MGCP myself (other than analyzing your example), I would suggest reading the MGCP wiki page and the RFC's that are listed on that page to learn how MGCP works and interacts with SIP.

SYN-bit gravatar imageSYN-bit ( 2019-10-21 09:38:59 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2019-10-18 07:23:56 +0000

Seen: 38 times

Last updated: Oct 18