Hi, I'm capturing traffic from many IP phones, and the XOR_MAPPED_ADDRESS value in the packets never change. If I understand how STUN works, this is unexpected because it is the real value of the mapped IP address that should never change, while the XOR_MAPPED_ADDRESS should change with every different magic-cookie/transactionID value.
All the phones NAT behind a single IP address, and this address does not change. Nor does the path to the STUN server, so the STUN server should always have the same IP address value as input to its XOR function. This means that XOR_MAPPED_ADDRESS should change all the time, while it and the cookie always XORs back to the same address.
Odder still is the value of the XOR_MAPPED_ADDRESS returned by the STUN server, as it is in the middle of the 240.0.0.0/4 reserved network block.
I'm posting here to ask if the current version of Wireshark has any known bugs or caveats around the capture or display of the STUN XOR_MAPPED_ADDRESS value. I'm happy to implicate the STUN server itself, I just want to check on the tool as well.
Thanks,
David
