Decoding RTP Voice Traffic with Unknown Codec 52

-

  

I was genuinely surprised when I learned that our VoIP recording software had detected the use of an unknown Codec 52 in our IP network. That simply shouldn't be possible. To the best of my knowledge, only standard codecs are in use here - typically the legacy G.711, or in some cases, the more modern wideband G.722.2 (AMR-WB) for HD voice. But Codec 52? It must be a mistake - such a codec shouldn't even exist.

Check RTP Header Structure 

Let's start by reviewing the standard to understand how VoIP payload types are encoded.

RTP: A Transport Protocol for Real-Time Applications (RFC3550)


   The RTP header has the following format:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |V=2|P|X|  CC   |M|     PT      |       sequence number         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   

The first byte of the RTP header consists of:
  - version (V): 2 bits
  - padding (P): 1 bit
  - extension (X): 1 bit
  - CSRC count (CC): 4 bits

The second byte:
  - marker (M): 1 bit
  - payload type (PT): 7 bits

Now, let's compare the RTP header as defined in the standard with the traffic captured by Wireshark. As shown in the packet capture screenshot below, the payload type of the recorded RTP stream is actually 8.


 

Payload Type Definitions

Encoding type 8 corresponds to the standard PCMA (G.711) codec. The range from 35 to 71 is officially unused.

Payload Types:


 PT   encoding    media type  clock rate   channels
                    name                    (Hz)
 ___________________________________________________
 0    PCMU        A            8,000       1
 1    reserved    A
 2    reserved    A
 3    GSM         A            8,000       1
 4    G723        A            8,000       1
 5    DVI4        A            8,000       1
 6    DVI4        A           16,000       1
 7    LPC         A            8,000       1
 8    PCMA        A            8,000       1
 9    G722        A            8,000       1
               
 ...
               
 35-71   unassigned  ?

However, the recording software reports an unknown codec with the value 52 in decimal (0x34 in hexadecimal) instead of 8.

How is that possible? Where did the software get a byte value of 0x34?

Solution

The issue turned out to be the presence of a 4-byte VLAN tag in the captured traffic. As a result, the recorder misread the RTP payload type, picking the wrong byte - shifted back 4 bytes. Let me examine the byte located 4 bytes earlier.

As you can see, 4 bytes above the misread location lies the UDP header, where the length field has a value of 0xB4 in hexadecimal - that's 180 in decimal or 1011 0100 in binary. When this byte is incorrectly interpreted as the RTP payload type, and only the lower 7 bits are considered (starting from the second bit), we get 011 0100, which is 52 in decimal.

Once we account for the 4-byte shift caused by the VLAN tag, the correct RTP payload type is revealed to be 8, corresponding to the standard PCMA (G.711) codec. In other words, Codec 52 doesn’t actually exist.

The mystery is solved. No miracle here - Codec 52 has not been seen in the wild. Stay safe and healthy.

Comments

Post a Comment

Popular posts from this blog

MX-ONE short installation and maintenance guide (Russian)

-
Image
Краткая инструкция по установке и настройке УПАТС MX–ONE Версия 5.0 / 6.x Настоящая инструкция является кратким руководством по MX-ONE, за полным руководством следует обращаться к комплекту документации CPI. Описание компонентов системы и последние версии прошивок (firmware) для терминалов можно скачать с официального сайта Mitel . Для установки и настройки MX-ONE требуются базовые знания администрирования Linux, принципов IP–телефонии и прохождение учебных курсов Mitel MX–ONE. Дистрибутивы ПО MX–ONE доступны для скачивания прямым партнерам Mitel прошедшим соответствующую аттестацию. Содержание 1. Вводная часть . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.1. Новые названия при переходе с версии 5.0 на версию 6.0 . . . . . . . . . . . . . 5 1.2. Инсталляция MX–ONE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2.1. Установка на виртуальную машину из образа ISO . . . . . . . . . . . . 6 1.2.2. Файловая структура MX–ONE TSE ....
Read more

Matrix server with self build Element-Web

-
Image
This instruction describes how to run Matrix server with custom Element-Web client. Matrix  - Matrix is an open standard for interoperable, decentralized, real-time communication over IP. Element-Web  - A glossy Matrix collaboration client for the web. TL;DR On  repo  development server Clone Element-web source code: userrepo@repo :~$ git clone https://github.com/vector-im/element-web.git Change the code. Build new docker image (tag 0.1): userrepo@repo :~/element-web$ docker build -t repo:5000/myelement:0.1 . Upload created image to local registry: userrepo@repo :~$ docker push repo:5000/myelement:0.1 On  matrix  test server Execute ansible script for automatic build and deploy: root@matrix :~# ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start Prepare local docker registry and git server Configure local registry server OS name: userrepo@repo :~$ uname -a Linux repo 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64 GNU/Linux Co...
Read more

Mitel SIP-phone XML API configuration server on Python/Flask and registration on Asterisk PBX

-
Image
  Agenda: Configuration server SIP-phones XML configuration Flask XML server Asterisk SIP extensions configuration 0. Configuration server Setting up configuration server for SIP-phones was described on previous post:  Configuration server We will use the following configuration file  startup.cfg : # Configuration server download protocol:HTTP http server:192.168.5.22 #can be IP or FQDN http path:aastra68xxi http port:8888 firmware server: "http://192.168.5.22:8888/firmware" # SIP server sip transport protocol:1 #UDP(1),TCP(2),TLS(4) sip srtp mode:0 #0(SRTP disabled),1(SRTP preferred),2(SRTP only) sip line1 user name: EmergencyCallsOnly sip proxy ip: 192.168.5.22 sip proxy port: 5060 sip registrar ip: 192.168.5.22 sip registrar port: 5060 # XML server xml application uri: "http://192.168.5.22:8888" # Time settings time server disabled:0 #server enabled(0), server disabled(1) time server1: de.pool.ntp.org time zone name: Custom #Required setting if ...
Read more