Unified Networks IP Stimulus (UNIStim)
Unistim is a Nortel proprietary VOIP protocol. It is a lower level protocol than ["SIP"] or most other VOIP protocols. It's important to always think of the phone as a very dumb terminal. Whereas with ["SIP"], the phone has a basic understanding of a phone call,in Unistim the phone knows how to send key press events, display text, flash light, and stream audio. All intelligence is at the switch layer. Like ["SIP"] Unistim does use ["RTP"] as its audio transport. Unistim has a couple layers to it. Unistim
- |_sequence number |_packet-type (ack,nak,or payload)
- |_terminal id (if phone is originator)
- |_command array
- |_supporting data as required
- |_command array
In a nutshell every payload packet sent from either the switch or the phone has a sequence id. The receiver of the packet must send an ACK back with the sequence id. If the equipment is expecting id 1000 and instead receives 1004 it would send a NAK on packet 1000 and the sender would have to resend all packets beginning with 1000. 0xFFFFFFFF has special significance as a sequence number. When a phone starts up it would send 0xFFFFFFFF which the switch would then NAK, except the sequence number of the NAK would be the sequence number the switch wants the phone to use as a starting point. Also if the switch fails over to the backup it would use the 0xFFFFFFFF to signal the phone that a fail-over has occurred and the phone should take appropriate action.
It is my understanding that Unistim is basically an ["IP"] adaptation of Nortel's DMS protocol.
- ["UDP"]: Typically, UNIStim uses ["UDP"] as its transport protocol. The well known UDP port for UNISTIM traffic is 5000.
Example of multiple commands comming from the switch: attachment:cmd_array_from_switch.gif Example of phone sending key press event showing terminal id: attachment:phone_cmd.gif
The Unistim dissector is partially functional. Nortel has published a pdf which describes the protocol, but as I have been writing the dissector I have discovered several discrepancies. Some were decipherable but some weren't. There are a few commands which transmit either icon bitmaps or font descriptions which I have chosen to display as hex data.
None at this time
Example capture file
XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.
A complete list of PROTO display filter fields can be found in the [http://www.wireshark.org/docs/dfref/protofirstletter/proto.html display filter reference]
Show only the PROTO based traffic:
You cannot directly filter PROTO protocols while capturing. However, if you know the ["TCP"] port used (see above), you can filter on that one.
Capture only the Unistim traffic over the default port (5000):
udp port 5000