Different versions of SIP packets on local and remote site?

retag add tags

I’m facing a problem with SIP protocol, which required capturing packets from local site with WireShark and remote site with TCPDUMP. When I analyze packages and specifically Register message, I notice Contact Header differs, in local capture Contact Header figure with a character "*" and remote Contact headers it appears with a double character of "@". Both files are open with same Wireshark version. Wireshark winpcap 4.1.2 version. Can't not figure what's going on.

Rmcgrath

asked 2020-08-05 23:25:28 +0000

19.9k

Guy Harris

updated 2020-08-06 18:53:48 +0000

edit flag offensive 0 remove flag close merge delete

Comments

Could you make both the local and remote capture files available, so we can look at them to try to figure out the reason for the difference?

Guy Harris (2020-08-06 02:30:20 +0000) edit

Have you tried with a current version of Wireshark?
Can you add version information from wireshark -v or Help->About Wireshark

Is it possible to share the capture files (or small section with the packets of interest)?

Chuckc (2020-08-06 02:43:08 +0000) edit

What sort of network devices are in between the local and remote site? Could they be modifying the SIP message?

grahamb (2020-08-06 09:51:18 +0000) edit

Sorry I couldn’t find how to reply to each and make with add a comment, is not like other forums

Could you make both the local and remote capture files available, so we can look at them to try to figure out the reason for the difference? Guy Harris ( 9 hours ago )

Have you tried with a current version of Wireshark? Can you add version information from wireshark -v or Help->About Wireshark

Answer

Unfortunately I can’t, because there is information about a SIP account access and thus is one of the most hacks on the networks. When I make the post I tried to attach screen shot but forum setting is not allowing because it demands rank level.

Version 1.6.2 (SVN Rev 38931 from /trunk-1.6)

Copyright 1998-2011 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There ...

(more)

Rmcgrath (2020-08-06 12:13:45 +0000) edit

Sorry I couldn’t find how to reply to each and make with add a comment, is not like other forums

Is it possible to share the capture files (or small section with the packets of interest)? Chuckc ( 9 hours ago )

Answer

Rmcgrath (2020-08-06 12:14:41 +0000) edit

add a comment see more comments

1 Answer

Sort by

oldest

newest

most voted

They have differences because they're different packets.

The packet in "Local site part 1" and "Local site part 2" is from UDP port 5060 to UDP port 5060.

The packet in "Remote site part 1" and "Remote site part 2" is from UDP port 5067 to UDP port 16301.

So this has nothing to do with tcpdump vs. Wireshark or WinPcap on Windows vs. libpcap on whatever UN*X you were running on. If they were supposed to be the same packets, perhaps the packets captured on the remote side had passed through some form of gateway equipment that had modified them.

19.9k

Guy Harris

answered 2020-08-06 18:53:17 +0000

edit flag offensive 0 remove flag delete link

Comments

I not agree, port it refer to sip Register packet and the other is Contact information, whatever my question is regardless to Contact information because on Remote information it seem more information and Local information only a character. The only difference was on the capture software because remote and local capture have analyzed with the same WireShark. Question why have differences, by the way gateway could never make change inside of packets the only possibility could be possible by using a SBC, in this case there no SBC.

Rmcgrath (2020-08-06 22:54:52 +0000) edit

The only difference was on the capture software

And the network on which you did the capturing.

Perhaps there was different traffic on the two networks. If there was, there is no reason to expect that there won't be differences in what you capture.

Clearly the packet you showed in "Local site" and the packet you showed in "Remote site" are NOT the same packet, given that the port numbers are different. If you want to convince us that the same packet looks different in the two captures, you will have to capture the same packet and show it as captured on both machines.

Guy Harris (2020-08-07 02:55:27 +0000) edit

I have no clue about SIP and what can be modified by hops, but the SIP element has clearly been modified as the UDP payload (presumably the SIP message) has changed from 479 bytes to 655 bytes, so modification of the SIP data you're interested in by the intervening devices seems a much more likely possibility rather than some sort of capture issue.

grahamb (2020-08-07 12:16:13 +0000) edit

Reply to Guy Harris

First of all I don’t have any intention to convincing anyone, simply to found answers through this forum. Regarding to capture has been done simultaneously, it is feasible that it is not the same packet since origination from a local network and goes through the router and causes modifications in order response from remote site will return to router and not a private address.

Rmcgrath (2020-08-07 13:28:33 +0000) edit

Reply to grahamb.

As Local site is connected in LAN and configuration on SIP account is related to remote site it should send and go through router and it will modified packet causing payload change. The clincher is, host send Register message and should receive server in order to response to host with a ACK message, is a basic handshaking and clearly it happens host send Register message and server have received, but don’t reply "ACK" message because it seems on Contact Header have detect a double character "@". So on local capture on Contact Header is not seems same information it only seems a “*” character, as both packets is analyzed with the same wireshark I could not found any logical reason of why it happens.

Rmcgrath (2020-08-07 13:44:02 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

Different versions of SIP packets on local and remote site? edit

Comments

1 Answer

Comments