H.248 or MEGACO Protocol

H.248 or MEGACO is a protocol used within a distributed Voice over IP system. Details on wikipedia http://en.wikipedia.org/wiki/Megaco

History

  • 2000 - joint work: H.248 version 1 by ITU-T and RFC3015 then RFC3525 ("MEGACO") by IETF.
  • 2002 - H.248.1 version 2 (Subseries H.248.2 to H.248.39 are created).
  • 2005 - H.248.1 version 3.

Protocol dependencies

  • TCP, UDP, SCTP: H.248 uses mainly SCTP or UDP as its transport protocol. The well known ports for H.248 gateway traffic are 2944 and 2945. First for text mode, second for binary.

Example traffic

  • Add (Request) an IP Termination :

!/1 [139.54.142.169]:2944 T=376 {C=${A=${M{ST=1{O{MO=SR},L{ v=0 o=- s=- c=IN IP4 $ m=audio $ RTP/AVP 8 },R{ v=0 o=- s=- c=IN IP4 172.16.32.51 m=audio 4202 RTP/AVP 8 }}},E=1{hangterm/thb{timerx=10}}}}}

  • Add (Reply) an IP Termination :

!/1 [192.168.100.1] P=376{C=526{A=I/032822{M{L{v=0 c=IN IP4 196.19.20.60 m=audio 2646 RTP/AVP 8 },R{v=0 c=IN IP4 172.16.32.51 m=audio 4202 RTP/AVP 8 }}}}}

  • Ack of the Transaction :

!/1 [139.54.142.169]:2944 K{376}

Wireshark

The H.248 dissector is fully functional.

Preference Settings

  • H.248 Gateway UDP Port: Set the UDP port for gateway messages.
  • Display the number of H.248 messages: Display the number of H.248 messages found in a packet in the protocol column.
  • Check "Display Filter" to avoid Audit Messages.

Example capture file

XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

Display Filter

A complete list of H.248/MEGACO display filter fields can be found here

Show only the H.248 based traffic:

 h248 

Show only the Megaco based traffic:

 megaco 

Show the H.248 traffic without Audit & Transaction Ack:

 !(h248.commandReply_item == 5) && !(h248.command == 5) && !(h248.transactionResponseAck == 1) 

Capture Filter

You cannot directly filter H.248/Megaco protocols while capturing. However, if you know the port used (see above), you can filter on that one.

Capture only the H.248 traffic over the UDP port (2944):

 udp port 2944 

External links

Discussion


Imported from https://wiki.wireshark.org/h248 on 2020-08-11 23:14:35 UTC