Sip/sdp packets contain a field sip.call_id_generated which is even kept track of in mgcp/sdp packets but cannot be found inside raw bytes of mgcp/sdp packets. How does wireshark keep track of it then?
Thanks for the pcap file. From looking at the packets I assume the SIP and MGCP packets are linked through the sip.call_id_generated field by inspecting the media description in the SDP part of the packets. Especially the fields sdp.connection_info and sdp.media.port.
As Wireshark uses a 2 pass dissection process, it first runs through all the packets and creates state information. In this state information, a call-id is linked to the media-ip/port from the SDP packets. Then on the second pass, the media-ip/port info in the packet will be used to retrieve the generated call-id.
So in your case, the generated call-id is created in reading the media description from packets 2 and 3 on the first pass. And then when displaying the MGCP packets (the second pass), the media description in the SDP part of the packets is the index to retrieve the generated call-id.
Not sure what you mean by manually. If you mean with tshark, then you can add the -2 option to make it do a 2-pass dissection too. With other tools you indeed need to track the call setup and rtp yourself using the IP and PORT information from the SDP part of the packets.
As I do not have any experience with MGCP myself (other than analyzing your example), I would suggest reading the MGCP wiki page and the RFC's that are listed on that page to learn how MGCP works and interacts with SIP.
Asked: 2019-10-18 07:23:56 +0000
Seen: 1,530 times
Last updated: Oct 18 '19
Do you have an example capture to check this with? (captures can't be uploaded to ask.wireshark.org, but you can upload one to a public file sharing service (like onedrive, dropbox, google drive, etc) and share the link here. Please make sure there is no sensitive information in the capture file.
Yeah here's a link to the pcap. https://drive.google.com/open?id=1Pgm...