In an effort to educate myself on the inner workings of WebEx, I recently looked at a session with Wireshark. Knowing that WebEx audio has the ability to use UDP or TCP, I wanted to isolate the protocol being employed in my configuration. I watched for a new stream of traffic as I enabled the audio portion of a meeting. I found that the audio was using UDP port 9000.
I next applied a filter to see only this traffic. What immediately jumped out at me was what appeared to be malformed and fragmented packets. I also noticed a lot of strange IP addresses like 220.127.116.11, 18.104.22.168, 0.0.0.30, 0.0.0.31 and so on.
Knowing that the audio was working perfectly, I could have easily concluded that my eyes were deceiving me. When I looked closer, I quickly realized that Wireshark was recognizing and decoding this as if the packets were Lawful Intercept.
Changing the Decode Type
This is a common scenario and the solution is straightforward. In Wireshark, right-click any of the packets and choose Decode As…
At this point, a new window will appear. Make sure the Transport tab is selected then choose Do Not Decode and Apply.
Now the capture should be reparsed and the stream will no longer be decoded as Lawful Intercept encapsulated traffic. Wireshark shows the packets with the IP addresses we expect and they now appear to be properly formed.
Just like simple Firewalls, Wireshark makes assumptions based on TCP and UDP ports. Most of the time this yields the expected results. However, some ports may be used by multiple upper layer protocols. In those cases, Wireshark’s assumptions may mislead those who don’t regularly look at Packet Captures. Changing the decode to the appropriate protocol or disabling it altogether will allow the analyst to examine and properly interpret the captured traffic.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may not reflect the position of past, present or future employers.