VoIP packets showing up as bogus IP header in Ethereal

Posted on 2006-03-20
Last Modified: 2008-01-09
I'm having an issue with Ethereal showing VoIP packets as bogus IP header.  This was asked before but the solution was not posted.
Question by:DEMurrayIII
    LVL 9

    Expert Comment

    Interesting.  What version of Ethereal?  What sort of VoIP packets?  SIP, H323, etc?  Are the packets tagged?  Could you post more detail?


    Author Comment

    Ethereal version 0.10.14   Using a Mitel 3300.  Sounds like what happen with Q_21555885.html.  The error I get in ethereal is  "Bogus IP Header length (0, must be at least 20)"
    LVL 9

    Expert Comment

    Are you capturing inline with a hub or by mirroring a port?  Could the packets be fragmented?

    Are you capturing the full packet for traffic other than the VoIP?

    Author Comment

    Using a Hub.  Yes the packets could be fragmented.  The only thing on this VLAN is the voice.   Setup is out of Cisco 3750 port to Hub.  Hub has a connection to the Mitel 3300 and a connection to a non addressed NIC on pc.  I'm able to capture data.  I am capturing any and all traffic between Mitel 3300 and Cisco 3750 switch on vlan.
    LVL 3

    Expert Comment

    LVL 1

    Accepted Solution


    The packets which are shown as "Bogus IP header length" are RTP packets. Ethereal only marks RTP packets as RTP packets if it also recognises the VoIP signalling that sets up the RTP stream (i.e. SIP, H.323). Ethereal looks into the VoIP siganlling to see which UDP ports are being used for RTP. It thens marks these ports as RTP flows.

    As the Mitel 3300 does not use SIP or H.323 (it uses a Mitel protocol known as Minet) and Ethereal does not support Minet the RTP packets are not identified by Ethereal as RTP packets.

    You can manually mark these packets as RTP by doing the following:

    1) Highlight one of the packets, right click on it and select 'Decode as...'
    2) Select RTP from the right hand column of options
    3) On the ports button in the centre of the 'Decode as' screen select 'both ports'
    4) Click 'Apply' and then 'OK'

    The packets for that RTP flow and its return RTP flow should now show as RTP.

    If you have multiple calls and hence multiple RTP flows using different ports you may need to do this for each call.



    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    I recently purchased a Bluetooth headset called the Music Jogger (model BSH10). The control buttons on it look like this: One of my goals is to use it as the microphone and speakers for Skype calls. In that respect, it works well. However, I …
    Hey there Heard about jingle, the add on for XMPP that enables point to point audio between two XMPP clients. No server config necessary. Actually quite a cool feature. However, how good is it if you can not use those voice capabilities to do a P…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now