h248

H.248 or MEGACO Protocol

H.248 or MEGACO is a protocol used within a distributed Voice over IP system. Details on wikipedia http://en.wikipedia.org/wiki/Megaco

History

Protocol dependencies

Example traffic

!/1 [139.54.142.169]:2944 T=376 {C={A={M{ST=1{O{MO=SR},L{ v=0 o=- s=- c=IN IP4 $ m=audio $ RTP/AVP 8 },R{ v=0 o=- s=- c=IN IP4 172.16.32.51 m=audio 4202 RTP/AVP 8 }}},E=1{hangterm/thb{timerx=10}}}}}

!/1 [192.168.100.1] P=376{C=526{A=I/032822{M{L{v=0 c=IN IP4 196.19.20.60 m=audio 2646 RTP/AVP 8 },R{v=0 c=IN IP4 172.16.32.51 m=audio 4202 RTP/AVP 8 }}}}}

!/1 [139.54.142.169]:2944 K{376}

Wireshark

The H.248 dissector is fully functional.

Preference Settings

Example capture file

XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

Display Filter

A complete list of H.248/MEGACO display filter fields can be found here

Show only the H.248 based traffic:

 h248 

Show only the Megaco based traffic:

 megaco 

Show the H.248 traffic without Audit & Transaction Ack:

 !(h248.commandReply_item == 5) && !(h248.command == 5) && !(h248.transactionResponseAck == 1) 

Capture Filter

You cannot directly filter H.248/Megaco protocols while capturing. However, if you know the port used (see above), you can filter on that one.

Capture only the H.248 traffic over the UDP port (2944):

 udp port 2944 

External links

Discussion


Imported from https://wiki.wireshark.org/h248 on 2020-08-11 23:14:35 UTC