________________________________________
From: [email protected]
[[email protected]] On Behalf Of Vivek Singla
[[email protected]]
While testing I observed while capturing SIP packets in the Wireshark that when
we put an intercept, there are basically 2 IP packets over the same Ethernet
frame. For example, the packet looks like:
Ethernet II / IP / UDP / PacketCable Lawful Intercept / IP / UDP / SIP
The source and dest IP addresses and port number are different in IP/UDP for
intercept and for SIP.
I am trying to understand how we can have 2 IP packets basically over the same
Ethernet frame?
_______________________________________________
It is unlikely that the packet is to be interpreted as an ethernet frame
containing two UDP packets. More likely, the definition of the PacketCable
Lawful Intercept is that the tail-end of the payload of the real ("first") UDP
packet is the complete IP packet that is being captured. That is, the final
"IP/UDP/SIP" is actually part of the payload of the real UDP header.
Some research on the PacketCable Lawful Intercept specification would probably
clarify this.
Dale
_______________________________________________
Sip-implementors mailing list
[email protected]
https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
