VoIP packets showing up as bogus IP header in Ethereal

I'm having an issue with Ethereal showing VoIP packets as bogus IP header.  This was asked before but the solution was not posted.
DEMurrayIIIAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jfradyCommented:
Interesting.  What version of Ethereal?  What sort of VoIP packets?  SIP, H323, etc?  Are the packets tagged?  Could you post more detail?

Tks!
0
DEMurrayIIIAuthor Commented:
Ethereal version 0.10.14   Using a Mitel 3300.  Sounds like what happen with Q_21555885.html.  The error I get in ethereal is  "Bogus IP Header length (0, must be at least 20)"
0
jfradyCommented:
Are you capturing inline with a hub or by mirroring a port?  Could the packets be fragmented?

Are you capturing the full packet for traffic other than the VoIP?
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

DEMurrayIIIAuthor Commented:
Using a Hub.  Yes the packets could be fragmented.  The only thing on this VLAN is the voice.   Setup is out of Cisco 3750 port to Hub.  Hub has a connection to the Mitel 3300 and a connection to a non addressed NIC on pc.  I'm able to capture data.  I am capturing any and all traffic between Mitel 3300 and Cisco 3750 switch on vlan.
0
Tony_FriarCommented:
Hi,

The packets which are shown as "Bogus IP header length" are RTP packets. Ethereal only marks RTP packets as RTP packets if it also recognises the VoIP signalling that sets up the RTP stream (i.e. SIP, H.323). Ethereal looks into the VoIP siganlling to see which UDP ports are being used for RTP. It thens marks these ports as RTP flows.

As the Mitel 3300 does not use SIP or H.323 (it uses a Mitel protocol known as Minet) and Ethereal does not support Minet the RTP packets are not identified by Ethereal as RTP packets.

You can manually mark these packets as RTP by doing the following:

1) Highlight one of the packets, right click on it and select 'Decode as...'
2) Select RTP from the right hand column of options
3) On the ports button in the centre of the 'Decode as' screen select 'both ports'
4) Click 'Apply' and then 'OK'

The packets for that RTP flow and its return RTP flow should now show as RTP.

If you have multiple calls and hence multiple RTP flows using different ports you may need to do this for each call.

Regards

Tony
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Voice Over IP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.