This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Different outputs in VoIP Calls Analysis for different versions of Wireshark, why?

0

In version 1.2.9 when I use the VoIP Calls analysis I see only protocol H.323. In version 1.10.0, the same capture file, when I use VoIP Calls analysis I see not only protocol H.323 in the output, but also another protocol AC_ISDN. Does anybody know what is different, obviously something changed between the versions. And why the output of the VoIP Calls analysis is so much different? Where can I find more information? I was not able to upload an image to show you this...

asked 28 Feb '14, 01:25

lz1dsb's gravatar image

lz1dsb
1111
accept rate: 0%

can you post a sample capture file somewhere (google drive, dropbox, cloudshark.org)?

(28 Feb '14, 06:59) Kurt Knochner ♦

I have a sample capture where this issue is seen... but how can I upload the file?

(17 Mar '14, 07:29) lz1dsb

You can upload it to cloudshark.org, pcapr.net, a public dropbox, or pretty much anywhere that the rest of us can get to it. You can even upload it to http://wiki.wireshark.org/SampleCaptures

(17 Mar '14, 08:06) Hadriel

One Answer:

1

A lot has changed since 1.2.9, including a bunch of new protocols and changes to dissectors of existing protocols. "AC_ISDN" is a part of the "ACtrace" protocol wireshark supports dissecting/analyzing, and "ACtrace" are basically trace packets from AudioCodes gateways.

I believe those packets can either appear as the whole payload of a UDP packet, or inside a LAPD message/packet; the latter case is probably what's happening for you. When you look in the protocol details of the packets in wireshark, do you see the "ACtrace" message embedded in there?

Unfortunately the dissector has a fairly rudimentary heuristic for whether the LAPD's payload is an ACtrace packet or not, so it may be wrong. On the other hand, AudioCodes gateways do H.323 so maybe those really are ACtrace messages in your wireshark capture?

As Kurt said, a sample capture would really help.

answered 28 Feb '14, 08:58

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

Hardiel, Thank you for this info. I haven't got any notification that anyone has answered to my question. Anyway. I'm not able to find any information what so ever about ACtrace? Is this an internal processing in Wireshark? I've uploaded an image showing how the VoIP Calls analysis looks like. Indeed it's the H.323 protocol in question. alt text

(17 Mar '14, 05:26) lz1dsb

No, it's not a Wireshark internal thing - ACTrace is an AudioCodes thing. The "AC" stands for AudioCodes. The chances are that your capture is capturing an H.323 call from or to an AudioCodes H.323 gateway, and the AudioCodes gateway is sending those ACTrace/AC_ISDN messages.

(17 Mar '14, 08:08) Hadriel