Analyzing T38 Fax Relay Packet Captures

Packet capture programs such as the freely available Wireshark program can decode T.38 fax relay and even graphically display the fax messaging that is being transported by T.38. For more information about Wireshark and how to acquire this software program, refer back to the section "IP Troubleshooting" in this chapter.

TIP Sometimes the T.38 fax relay information in Wireshark is not displayed properly by default, and this usually occurs when NSEs are used for the switchover. If the T.38 packets are shown as RTP protocol packets and flagged in the "Info" field as "Unknown RTP version 0," you need to configure Wireshark to interpret the T.38 fax relay packets correctly. The first step in configuring Wireshark to properly display T.38 fax relay packets is to save the packets flagged as RTP into a separate file. In the "Filter" box toward the top of the Wireshark window, enter "rtp" and then click "Apply." This will display only the RTP packets. Save this RTP-filtered capture by selecting "Save As" from the "File" menu at the top of the screen. Make sure that under the "Packet Range" of the "Save As" dialog box you select "All Packets" and "Displayed." Now click "Save", and then open this newly saved file in Wireshark.

After opening the RTP filtered capture, you will no longer see any signaling information and the T.38 packets will probably still be flagged as RTP. To decode the RTP as T.38, you need to do the following. Highlight one of the T.38 packets. Then, under the "Analyze" menu at the top of the window, select "Decode As." In the new "Decode As" window that is created, scroll down and select "T.38" from the list of protocols. Beside UDP, you can also select "Both" so that the program will decode the UDP packets in both directions as

T.38 fax relay. Click "OK" in the "Decode As" window, and Wireshark will reprocess the capture file, displaying the T.38 packets correctly. The only drawback of this procedure is that the true RTP packets that occur before the T.38 switchover will now be incorrectly interpreted as T.38, too.

After loading a T.38 fax relay capture into Wireshark, select the "Statistics" menu from the top of the main window and click "VoIP Calls." A window will now display listing all the VoIP calls found in the packet capture. Select the call that contains the T.38 session, and then click "Graph" at the bottom of the screen. Figure 12-21 shows part of the graph from Wireshark for a T.38 fax relay call.

Figure 12-21 Wireshark Graphical Display of a T.38 Fax Relay Call

Graph Analysis


33,758 33.766 33,977 35,703 36,407 36.727 36,765 37,686 39,257 39,527 39,558 39,646 39,893 41,398

42.467 43,457


DIS DSP:]TU-T V.27ter anil V.29

no-signal no-signal v21-preamble

8843 884) 884)

no-signal v21-preamble

TSI Mum: 200

DCS BSR:9600 bitfe, ITU-J' V.23

884) r no-signal

v29-3S00-lrainincL 1

H-non-ecm-dats v29-9(Soo isa i ■■-"1 (17514)



Save As

Comment t38l30 n;l 11■ s i-i^I (38.130 Iftd nc-signal t38.130 lnd:v21-preamble t3® :v21 :H0LC:Non-$tand3rd Facilities t38:vl 1 DLC: Called Subscriber Identification tJ8-vi1 :H0LC Digital Identification Signal 138.130 lnd:no-signal 138.130 Ind:v21-pt®ainble t38:v21: H DLC Transmitting Subscriber Identification t38:v21:HOLC:Oigital Command Signal 138.130 lnd:no-signa] 138,150 l(id:v2S-(SDO trainino t38:t4-non-ttin-datanr2Q-flttil Duration: 1.43? Mo packet [ail t38,l30 lnd:no-signal (38.130 Iftd:v21-preamble I38;v21 :H0LC;Failure To Train (38.130 lnd:no-slgna]



The graphical display of the T.38 fax relay call shown in Figure 12-21 is much easier to read than paging through hundreds if not thousands of lines of packets to see what is happening. The top of the display provides the IP addresses of the originating and terminating voice gateways. You can then see the T.38 encapsulated fax messaging flowing back and forth between the gateways.

The column on the left side provides the time of the fax message, in case you want to quickly find the packet containing that fax message in the capture file. The column on the right side of the graph provides additional information about each fax message and even keeps track of any packet loss during trainings and page transmissions.

TIP At the bottom of the screen shot in Figure 12-21 is a "Save As" button. Clicking this button enables you to save an ASCII text file portraying this graphical T.38 call information. This feature is useful for e-mailing results to others or for just saving a quick copy of the T.38 transaction information for future reference.

If you need to quickly analyze T.38 packet captures, looking through the T.38 message transaction graphically saves you a lot of time. You can zero in quickly on problems and not spend lots of time looking at T.38 packets individually.

Was this article helpful?

+9 -6
Corporate Domination Tactics

Corporate Domination Tactics

Learning About Corporate Domination Tactics Can Have Amazing Benefits For Your Life And Success! Own The Corporate World And Be Your Own Man! Huge businesses like Wal-Mart have demonstrated to us all the mightiness of a corporation, now you as well may harness that might.

Get My Free Ebook


  • wegahta
    How to access a t.38 wireshark?
    7 months ago

Post a comment