Ask Your Question


asked 2022-09-20 20:33:31 +0000

updated 2022-09-21 12:44:11 +0000

Hi, I'm capturing traffic from many IP phones, and the XOR_MAPPED_ADDRESS value as shown by the CLASSIC-STUN dissector in the packets never change. If I understand how STUN works, this is unexpected because it is the real value of the mapped IP address that should never change (under my test conditions, anyway), while the XOR_MAPPED_ADDRESS should change with every different magic-cookie/transactionID value.

All the phones NAT behind a single IP address, and the reflexive address does not change. Nor does the path to the STUN server, so the STUN server should always have the same IP address value as input to its XOR function. This means that XOR_MAPPED_ADDRESS should change all the time, while it and the cookie always XORs back to the same address.

Odder still is the value of the XOR_MAPPED_ADDRESS returned by the STUN server, as it is in the middle of the reserved network block.

I'm posting here to ask if the current version of Wireshark has any known bugs or caveats around the capture or display of the CLASSIC-STUN disscetor's XOR_MAPPED_ADDRESS value. I'm happy to implicate the STUN server itself, I just want to check on the tool as well.



edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2022-09-21 14:30:22 +0000

Jaap gravatar image

From what I can see in the dissector code there's no issue with the XOR_MAPPED_ADDRESS. The address is presented in its original form as read from the packet, and shown XOR'ed in a generated field.

When in doubt you can always look at the raw packet bytes to see what's there.

edit flag offensive delete link more


Hi Japp, Thanks for the quick response! Ok, nothing is broken in Wireshark, and that the displayed values in the Details and Bytes panes depict what is actually in the packet. This gives me firm ground on which to stand when I bring up the issue with the STUN server provider. Thanks again, David

davidh4wireshark gravatar imagedavidh4wireshark ( 2022-09-21 14:39:14 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2022-09-20 20:33:31 +0000

Seen: 34 times

Last updated: Sep 21