The folks behind WireShark have released version 0.99.7 for Windows. WireShark (formerly Ethereal) is the de facto standard network protocol analyzer today. I personally use WireShark and WildPacket’s OmniPeek depending on the situation or scenario.
Why the excitement behind the new release?
Well for those of us that have tried in vein for many years to decode the UNISTIM protocol the latest release of WireShark promises to deliver us from our purgatory. The complete release notes can be found here. I’ll include just the pertinent part here;
New Protocol Support
ANSI TCAP, application/xcap-error (MIME type), CFM, DPNSS, EtherCAT, ETSI e2/e4, H.282, H.460, H.501, IEEE 802.1ad and 802.1ah, IMF (RFC 2822), RSL, SABP, T.125, TNEF, TPNCP, UNISTIM, Wake on LAN, WiMAX ASN Control Plane, X.224,
In summary UNIStim is Nortel’s proprietary VoIP signaling protocol between their Internet Telephones (i2002,i2004,i2007,1120e,1140e,1150e) and the Nortel Call Server (PBX) switch. The Internet Telephones and Call Server still utilize the Real-time Transport Protocol (RTP) for the actual voice path between two Internet phones or from a Voice Gateway Media Card (VGMC) to an Internet phone.
Let me provide an example of the new decode; (click on the image to see it blown up)
This trace was taken by mirroring the port connecting to an i2004 Internet Telephone. In the trace you will see that the top frames are a RTP stream between the i2004 (10.101.245.132) and a VGMC (10.117.240.43). The frame I’ve highlighted shows the Signaling Server (10.101.240.20) sending a UNIStim signal to the i2004 to close the audio channel. You can see that in the next packet the far end (10.117.240.43) has already closed the TCP socket generating an ICMP unreachable message back to the i2004 phone.
Many thanks to Gerald Combs and all the contributors over at WireShark!