SOLVED Used to Have Fax T30 Signal Messages In PCAP Traces... Now They're Not Present

(xp) #1

I am trying to determine if I have done something wrong or if something with T.38 has changed fundamentally.
I used pcapsipdump to record traces throughout the day and afterwards to delete them, to start over again the next day. I use these traces to determine why a fax call may have failed, and I used to be able to see the MCF, EOP, etc T.30 fax signals in the pcap in Wireshark.

Now, those messages are no longer present. Faxes still go through… seemingly with t.38… but I do not see messages any more that state those signal messages. How or where is this turned back on? Do I do so with a config entry in FreePBX under SIP, or do I need to change a paremeter in FreePBX for Asterisk to do so?

It’s as if there was an update to T.38 where this no longer occurs.

See the below link with info describing those messages under the “After some research, I got this…” part and how they would look previously:

(Tony Lewis - #2

Nothing in Asterisk or FreePBX would control whats in your SIP Capture you are doing. Sounds like you dont have T38 working anymore if you dont see T38 packets.

(xp) #3


I see T38 udptl packets… I simply don’t see messages that would say at the end of the fax MCF - message confirmation. The fax always ends on a t38 packet like this screenshot below:

(xp) #4

And I am told the fax for which I pulled this trace from was successful… I’m just trying to determine why I don’t see the MCF, EOP, etc messages in the T.38 packets of the trace. I thought it might also be pcapsipdump, so I used regular tcpdump and recorded all udp traffic and still no t.30 MCF type messages.

I’ve now regressed from Asterisk 13 to 11… but still the same thing. I must be doing something wrong or I was incorrect to think that all T.38 communication would show those messages.

(xp) #5

OKAY! After some Google searching and learning more about packet framing than necessary, I found what I believe is the problem. It seems the issue is only with Wireshark (yay…). All the packets are there, Wireshark just doesn’t know how to display those packets correctly.

At this website I found what the HDLC packet framing data corresponds to:

If you see in the table, MCF corresponds to FCF value of 0x31 (31). In the screenshot, packet num 5341 actually IS the T30 MCF message - see the bottom value that says hdlc-data, and the field-data equals 31.

So I need to regress Wireshark to read these packets correctly. And possibly put our fax server back on Asterisk 13.

Just to confirm, regressing Wireshark from 2.2.3 (latest) to 2.0.9 resolves the issue. I guess v2.2.3 has a problem with how the T30 HDLC packets are reassembled in the interpreter or something.

Here it is now with 2.0.9

(Ayansaha) #6

Hi, I need a wireshark pcap for a fax session using the T.38 protocol. Do you know how will I be able to get such pcap…Or what kind of setup do I need to do for such pcap? If you have any spare pcap using this T.38 protocol that I can use,that would be awesome. Any help is highly appreciated! Thanks!

(Lorne Gaetz) closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.