0

Is it possible to detect if a H.323 connection (phone call) is up by simple sniffing traffic on an adjacent node?

Roman Nikitchenko
  • 12,800
  • 7
  • 74
  • 110
atrent
  • 135
  • 2
  • 9

2 Answers2

4

The most effective way seems to sniff all the TCP traffic to 1719 (RAS) and 1720 (H.225 signaling) port. You get signaling with high probability. Other ways are much harder.

Other alternative:

  • Check new TCP connections with TPKT traffic right from the start.
  • If header is good (4 bytes to check) and PDU seems reasonable size you need to decode this as H.225 signaling (ASN1) this is not so simple and relative resource consuming operation.

The worst thing you can face is H.235 security with signaling protected. Almost nothing will help you in this case ;).

Roman Nikitchenko
  • 12,800
  • 7
  • 74
  • 110
  • _Check new TCP connections with TPKT traffic right from the start._ May I ask you why we check connections with TPKT? What's the relation between TPKT and H.323? Thanks you – Ebrahim Ghasemi Sep 01 '16 at 07:30
  • As question is pretty old and I switched domain from that time several times I cannot guarantee this is still valid but that time Q.931 signalling channel was transported over H.225 which in turn uses TPKT for signalling messages (starting from Q.931 SETUP). – Roman Nikitchenko Sep 01 '16 at 13:43
0

if you only catch 1719 (RAS) and 1720 (H.225 signaling), you will miss and H.245 if there is an H.245 session which is negotiated dynamically.

I would suggest you that captured all TCP sessions and UDP 1719 sessions between caller/caller/gate-keepers.

LeoChu
  • 726
  • 6
  • 6