H.323 Signaling Protocol Explained With Wireshark (2024)

H.323 Signaling Protocol Explained With Wireshark (1)

H.323 signaling protocol is the most misunderstanding and complex signaling protocol compared to SIP protocol. And this is why SIP is becoming familiar today, but this does not mean that H.323 is no longer used, instead it is still there supported by Telepresence Endpoints and still supported by Cisco Expressway Series, where the Cisco Expressway-C is the Call Control for both H.323 and SIP signaling protocols.

From the Cisco Collaboration exams 's perspective, H.323 is largely covered and detailed in CLCOR and CLCEI (Implementing Cisco Collaboration Cloud and Edge Solutions) courses.

  • How the call setup works?
  • What is the role of H.225 and H.245 signaling messages?
  • How the RTP informations (IP Addresses and RTP ports) are negotiated?

See below the answer using wireshark.

H.323 Phone 1 and H.323 Phone 2 are registered to Cisco Expressway-C with the E.164 1001 and 1002 respectively.

A call is initiated and established from 1001 to 1002.

H.323 Phone 1 10.1.5.130 establishes a TCP connection for a new call with Cisco Expressway-C 10.1.5.20, destination port is 1720.

H.323 Signaling Protocol Explained With Wireshark (2)

A Q.931 SETUP message through H.225 protocol is sent by H.323 Phone 1 10.1.5.130 once the TCP connection has been established with Cisco Expressway-C, indicating the Calling party number 1001 and Called party number 1002.

H.323 Signaling Protocol Explained With Wireshark (3)

The H.225 message body contains the sourceCallSignalAddress:ip address = 10.1.5.130.

H.323 Signaling Protocol Explained With Wireshark (4)

The Cisco Expressway 10.1.5.20 responds with Q.931 CallProceeding indication to H.323 Phone 1.

H.323 Signaling Protocol Explained With Wireshark (5)

The Cisco Expressway-C 10.1.5.2O establishes a TCP connection for a new call with the H.323 Phone 2 10.1.5.122, destination port is 1720.

H.323 Signaling Protocol Explained With Wireshark (6)

A Q.931 SETUP message through H.225 protocol is sent by Cisco Expressway-C 10.1.5.20 once the TCP connection has been established with H.323 Phone 2, indicating the Calling party number 1001 and Called party number 1002.

H.323 Signaling Protocol Explained With Wireshark (7)

The called subscriber H.323 Phone 2 10.1.5.122 responds with Q.931 CallProceeding indication to Cisco Expressway-C 10.1.5.20.

H.323 Signaling Protocol Explained With Wireshark (8)

The Q.931 ALERTING message is sent by H.323 Phone 2 10.1.5.122 indicating that the called subscriber is now being ring.

H.323 Signaling Protocol Explained With Wireshark (9)

The Q.931 ALERTING message is sent by Cisco Expressway-C 10.1.5.20 indicating the caller 10.1.5.130 that the called subscriber 10.1.5.122 is now being ring.

H.323 Signaling Protocol Explained With Wireshark (10)

The H.323 Phone 2 10.1.5.122 answers the call. The Q.931 connect message by is sent by the Called Party 10.1.5.122 to Cisco Expressway-C. The message contains information the H.245 negociation port 49304.

H.323 Signaling Protocol Explained With Wireshark (11)

The Q.931 connect message by is sent by the Cisco Expressway-C to H.323 Phone 1. The message contains information the H.245 negociation port 15005.

H.323 Signaling Protocol Explained With Wireshark (12)

Now H.323 Phone 1 and Cisco Expressway-C establish a TCP connection for H.245 negociation with destination port 15005.

H.323 Signaling Protocol Explained With Wireshark (13)

Caller party negociates the codec by sending the H.245 TerminalCapabilitySet Request message.

H.323 Signaling Protocol Explained With Wireshark (14)

Calling Party 10.1.5.130 negociates master-slave by sending the masterSlaveDetermination message.

H.323 Signaling Protocol Explained With Wireshark (15)

Now Cisco Expressway-C and H.323 Phone 2 establish a TCP connection for H.245 negociation with destination port 49304.

H.323 Signaling Protocol Explained With Wireshark (16)

Called party negotiates the codec by sending the H.245 TerminalCapabilitySet Request message.

H.323 Signaling Protocol Explained With Wireshark (17)

CalledParty 10.1.5.122 also negotiates master-slave by sending the masterSlaveDetermination message.

H.323 Signaling Protocol Explained With Wireshark (18)

H.323 Phone 2 10.1.5.122 replies with H.245 Master Slave Determination Ack, in the message body the Decision: Slave.

H.323 Phone 2 10.1.5.122 becomes the Slave.

H.323 Signaling Protocol Explained With Wireshark (19)

H.323 Phone 1 10.1.5.130 replies with H.245 Master Slave Determination Ack, in the message body the Decision: Master.

H.323 Phone 1 10.1.5.130 becomes the master.

H.323 Signaling Protocol Explained With Wireshark (20)

H.323 Phone 1 sends channel open request (openLogicalChannel) to Cisco Expressway-C, RTCP port number is included in the message. the G.711A codec with be used for audio call. The proposal RCTP port of H.323 Phone 1 10.1.5.130 for mediaControlChannel is 28869.

H.323 Signaling Protocol Explained With Wireshark (21)

H.323 Phone 2 sends channel open request (openLogicalChannel) to Cisco Expressway-C, RTCP port number is included in the message. the G.711A codec with be used for audio call. The proposal RCTP port of H.323 Phone 2 10.1.5.122 for mediaControlChannel is 23909.

H.323 Signaling Protocol Explained With Wireshark (22)

The Calling Party 10.1.5.130 acknowledges the message. The RTP and RTCP port number are included in the message.

In the H.245 message body, under the section mediaChannel and mediaControlChannel, H.323 Phone 1 tells to Cisco Expressway-C this IS my IP address 10.1.5.130 for RTP and RTCP, this is my RTP port number 28868, and this is my RTCP port number 28869.

H.323 Signaling Protocol Explained With Wireshark (23)

The Called Party 10.1.5.122 acknowledges the message. The RTP and RTCP port number are included in the message.

In the H.245 message body, under the section mediaChannel and mediaControlChannel, H.323 Phone 2 tells to Cisco Expressway-C this is my IP address 10.1.5.122 for RTP and RTCP, this is my RTP port number 23908, and this is my RTCP port number 23908.

H.323 Signaling Protocol Explained With Wireshark (24)

Finally, the Cisco Expressway sends the openLogicalChannel Ack to H.323 Phone 2 10.1.5.122 to inform it about the RTP 28868 and RTCP port 28869 numbers, and the IP address 10.1.5.130 the H.323 Phone 1 will use for RTP flow or audio flow.

H.323 Signaling Protocol Explained With Wireshark (25)

Finally, the Cisco Expressway sends the openLogicalChannel Ack to H.323 Phone 1 10.1.5.130 to inform it about the RTP 23908 and RTCP port 23909 numbers, and the IP address 10.1.5.122 the H.323 Phone 2 will use for RTP flow or audio flow.

H.323 Signaling Protocol Explained With Wireshark (26)

Now a point to point and one-way RTP flow is established from H.323 Phone 1 to H.323 Phone 2 with Source IP 10.1.5.130, Source Port 28868, Destination IP 10.1.5.122 and Destination Port 23908.

H.323 Signaling Protocol Explained With Wireshark (27)

Also, a point to point and one-way RTP flow is established from H.323 Phone 2 to H.323 Phone 1 with Source IP 10.1.5.122, Source Port 23908, Destination IP 10.1.5.130 and Destination Port 28868.

H.323 Signaling Protocol Explained With Wireshark (28)

H.323 Signaling Protocol Explained With Wireshark (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Sen. Emmett Berge

Last Updated:

Views: 5545

Rating: 5 / 5 (80 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Sen. Emmett Berge

Birthday: 1993-06-17

Address: 787 Elvis Divide, Port Brice, OH 24507-6802

Phone: +9779049645255

Job: Senior Healthcare Specialist

Hobby: Cycling, Model building, Kitesurfing, Origami, Lapidary, Dance, Basketball

Introduction: My name is Sen. Emmett Berge, I am a funny, vast, charming, courageous, enthusiastic, jolly, famous person who loves writing and wants to share my knowledge and understanding with you.