An engineer in our forum requested an example call flow of H.248 Megaco over SCTP.

Ive added it to the samples capture page.

Here is a direct link.
H248 Megaco over SCTP example call flow

One of our users recently requested an example of SMS (short Message service) over SIP. I've added this to our Sample Captures page but thought other people might find it interesting as well. Here is the link:

SIP IM Message Example.

TCAP MAP - This trace contains a MAP message contained in SIGTRAN SUA.

Here are two new (and better) traces for Sending Video and Audio to a softphone using SIP. One of these is just video.

Video over SIP - This is a trace of sending just video to a softphone.
Audio and Video over SIP - This is a trace of sending audio and video to a softphone.

Enjoy

Are you new to VoIP? Here is a useful glossary of acronyms to help you get started. It is also linked under the useful links page.

Recently I have noticed a lot of searches on this site for traces containing SCTP. I browsed the web and found these 4 traces and decided to add them.

SCTP.cap - This trace contains Sample SCTP PDUs.
SCTP-test.cap - This trace contains sample SCTP handshaking and DATA/SACK chunks.
SCTP-Add-IP.cap - Here are sample SCTP ASCONF/ASCONF-ACK Chunks that perform Vertical Handover.
SCTP-WWW.cap - Sample SCTP DATA Chunks that carry HTTP messages between Apache2 HTTP Server and Mozilla.

Definition of Bluetooth From the Wikipedia Page:
Bluetooth is an industrial specification for wireless personal area networks (PANs). Bluetooth provides a way to connect and exchange information between devices such as mobile phones, laptops, PCs, printers, digital cameras, and video game consoles over a secure, globally unlicensed short-range radio frequency. The Bluetooth specifications are developed and licensed by the Bluetooth Special Interest Group.

Here are some sample captures from the WireShark Sample Capture Site:

l2ping.cap - This trace contains some Bluetooth packets captured using hcidump, the packets were from the l2ping command that's included with the Linux BlueZ stack.

Bluetooth1.cap - This trace contains some Bluetooth packets captured using hcidump.

ISDN Service Subaddressing.cap - This is a trace showing a test of the ISDN service Sub-addressing. The message contains a Q.931 SETUP with BC, CHI,CGPN, CDPN, CGPNS(sub-address calling) and CDPNS (sub-address called) elements. It is only a single frame but is still very interesting.

Here are more Crack Traces that I pulled from the Wireshark WIKI. I attached them to this page, and added the links to sample captures. I am going to look for more traces of attacks and break ins to possibly create a section of TechTraces focused on network security.

teardrop.cap Packets 8 and 9 show the overlapping IP fragments in a Teardrop attack.

zlip-1.pcap - DNS exploit, endless, pointing to itself message decompression flaw.

zlip-2.pcap - DNS exploit, endless cross referencing at message decompression.

zlip-3.pcap - DNS exploit, creating a very long domain through multiple decompression of the same hostname, again and again.

can-2003-0003.pcap Attack for CERT advisory CA-2003-03

I've noticed recently we have had some more searches for security exploit traces. I collected these from the WireShark Wiki Page. Here are the links and I've also attached them to this page.

Slammer.pcap - Slammer worm sending a DCE RPC packet.

DNS-remoteshell.pcap - Watch frame 22 Wireshark detecting DNS Anomaly caused by remoteshell riding on DNS port - DNS Anomaly detection made easy by Wireshark

I will add crack attempts next.

UK Initiator Responder - This trace captures a send receive call flow of call between two phones using the UK format of ISUP over SIP.

Megaco Traffic Management & Diff Serve Packages - This trace shows two MEGACO Modify messages that show how to correctly encode the following packages:

The TMan (i.e. Traffic Management) package, namely H.248.53:

Traffic management package
Package Name: Traffic management package
PackageID: tman, (0x008d) - value allocated by IANA.
Description: This package allows traffic descriptors to be defined for a termination and allows policing to be explicitly enabled.
Version: 1
Extends: None

5.1.3 Maximum burst size
Property Name: Maximum burst size
PropertyID: mbs, (0x0003)
Description: This property defines maximum burst size in bytes for the stream.
Type: Integer
Possible values: Any positive integer.
Default: Provisioned based on SDP.
Defined in: Local Control
Characteristics: Read/Write

Secondly, The DIFF SERV PACKAGE

Package Name: Diff Serv Package
Package ID: diffserv (To be allocated through IANA)
Description: This package provides basic event and signal
handling for terminations for using the

Differentiated services between the two Media

Hello to all my loyal visitors! The following is a documentation guide I wrote on how to configure EyeBeam 1.5 and the OpenSER SIP Proxy to make encrypted TLS SIP calls on a Debian linux box. More information can be found after the jump. I wrote this page after searching the web for 2 weeks on trying to find a tutorial that worked for me. I must have sent 100 emails to the CounterPath support team before I finally figured it out. They were very helpful, and here is what I've learned!

========================================================
Step 1: Download and install OpenSER
========================================================

This can be done very easily with SVN. By the time you read this article, new versions may have already been released. You can check here. This article describes the configurating and installation of OpenSer 1.2Use the following command line-

>svn co https://openser.svn.sourceforge.net/svnroot/openser/branches/1.2 openser

After you have downloaded , you need to build it with TLS enabled. This is not (despite their documentation) installed by default. To build with TLS enabled you must edit the Makefile. Use your favorite editor to open it and navigate to line 34. Uncomment the TLS line and then run the following command

>build all

After you have installed , you can check if you have done it correctly running the following command.

TLS Handshake - This trace shows a complete and successful TLS Handshake example.
TLS Decrypt Error - This trace shows an incomplete TLS Handshake which fails because of a decryption error. This happens often when there are certificate mismatches.

From Wikipedia:
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains substantially the same. The term "TLS" as used here applies to both protocols unless clarified by context.

The TLS protocol(s) allow applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications privacy over the Internet using cryptography. Typically, only the server is authenticated (i.e., its identity is ensured) while the client remains unauthenticated; this means that the end user (whether an individual or an application, such as a Web browser) can be sure with whom they are communicating. The next level of security — in which both ends of the "conversation" are sure with whom they are communicating — is known as mutual authentication. Mutual authentication requires public key infrastructure (PKI) deployment to clients. TLS involves three basic phases:

1. Peer negotiation for algorithm support
2. Public key encryption key-based exchange and certificate-based authentication
3. Symmetric cipher traffic-based encryption

SIP Eyebeam to Eyebeam Call - This trace contains two streams, in each direction e.g. SSRC 3554896964 & SSRC 4215298092. One is the audio voice (BV32) and the other is the video (H.263). The H.263 payload type is dynamic, it starts on 125 and changes to 126.

M2PA Unexpected Level 3 Request - This trace shows the M2PA Link Status of an unexpected Level 3 Request. (Processor Outage, Busy, Busy Ended, Ready)

M3UA Traffic Generation Messaging at MGC - Illustrates traffic generation of m3ua messages with a media gateway controller. This is also technically an SS7 Trace.
M3UA Traffic Generation Messaging at MG - Illustrates traffic generation of m3ua messages with a media gateway signalling gateway

From Wikipedia-

The Message Transfer Part (MTP) is part of the Signalling System 7 (SS7) used for communication in Public Switched Telephone Networks. MTP is responsible for reliable, unduplicated and in-sequence transport of SS7 messages between communication partners.

MTP is made up of three levels, corresponding to layers in the OSI model: MTP Level 1 corresponds to OSI Layer 1 (the physical layer), MTP Level 2 to OSI Layer 2 (the data link layer), and MTP Level 3 to OSI Layer 3 (the network layer). MTP Level 3 is usually abbreviated as MTP3. Likewise MTP Level 2 and MTP Level 1 are abbreviated as MTP2 and MTP1.

MTP1 normally uses a timeslot in an E-carrier or T-carrier.

MTP2 provides error detection and sequence checking, and retransmits unacknowledged messages. MTP2 uses packets called signal units to transmit SS7 messages. There are three types of signal units: Fill-in Signal Unit (FISU), Link Status Signal Unit (LSSU), Message Signal Unit (MSU).

MTP3 provides routing functionality to transport signaling messages through the SS7 network to the requested endpoint. Each network element in the SS7 network has a unique address, the Signaling Point Code (SPC). Message routing is performed according to this address. A distinction is made between a Signaling Transfer Point (STP) which only performs MTP message routing functionalities and a Signaling End Point (SEP) which uses MTP to communicate with other SEPs (that is, telecom switches). MTP3 is also responsible for network management; when the availability of MTP2 data links changes, MTP3 establishes alternative links as required and propagates information about route availability through the network.

SIP MGC to MGC ISUP -Here is a SIP-T call flow shows an MGC to MGC connection including ISUP messaging.