Is it possible to detect if a H.323 connection (phone call) is up by simple sniffing traffic on an adjacent node?
+1
A:
The most effective way seems to sniff all the TCP traffic to 1719 (RAS) and 1720 (H.225 signaling) port. You get signaling with high probability. Other ways are much harder.
Other alternative:
- Check new TCP connections with TPKT traffic right from the start.
- If header is good (4 bytes to check) and PDU seems reasonable size you need to decode this as H.225 signaling (ASN1) this is not so simple and relative resource consuming operation.
The worst thing you can face is H.235 security with signaling protected. Almost nothing will help you in this case ;).
Roman Nikitchenko
2009-11-06 10:59:36