H.248 or MEGACO Protocol

H.248 or MEGACO is a protocol used within a distributed Voice over IP system. Details on wikipedia http://en.wikipedia.org/wiki/Megaco


  • 2000 - joint work: H.248 version 1 by ITU-T and RFC3015 then RFC3525 ("MEGACO") by IETF.
  • 2002 - H.248.1 version 2 (Subseries H.248.2 to H.248.39 are created).
  • 2005 - H.248.1 version 3.

Protocol dependencies

  • TCP, UDP, SCTP: H.248 uses mainly SCTP or UDP as its transport protocol. The well known ports for H.248 gateway traffic are 2944 and 2945. First for text mode, second for binary.

Example traffic

  • Add (Request) an IP Termination :

!/1 []:2944 T=376 {C=${A=${M{ST=1{O{MO=SR},L{ v=0 o=- s=- c=IN IP4 $ m=audio $ RTP/AVP 8 },R{ v=0 o=- s=- c=IN IP4 m=audio 4202 RTP/AVP 8 }}},E=1{hangterm/thb{timerx=10}}}}}

  • Add (Reply) an IP Termination :

!/1 [] P=376{C=526{A=I/032822{M{L{v=0 c=IN IP4 m=audio 2646 RTP/AVP 8 },R{v=0 c=IN IP4 m=audio 4202 RTP/AVP 8 }}}}}

  • Ack of the Transaction :

!/1 []:2944 K{376}


The H.248 dissector is fully functional.

Preference Settings

  • H.248 Gateway UDP Port: Set the UDP port for gateway messages.
  • Display the number of H.248 messages: Display the number of H.248 messages found in a packet in the protocol column.
  • Check "Display Filter" to avoid Audit Messages.

Example capture file

XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

Display Filter

A complete list of H.248/MEGACO display filter fields can be found here

Show only the H.248 based traffic:


Show only the Megaco based traffic:


Show the H.248 traffic without Audit & Transaction Ack:

 !(h248.commandReply_item == 5) && !(h248.command == 5) && !(h248.transactionResponseAck == 1) 

Capture Filter

You cannot directly filter H.248/Megaco protocols while capturing. However, if you know the port used (see above), you can filter on that one.

Capture only the H.248 traffic over the UDP port (2944):

 udp port 2944 

External links


Imported from https://wiki.wireshark.org/h248 on 2020-08-11 23:14:35 UTC