H.323 Signaling Protocol Demystified From Scratch

H.323 signaling protocol is the most misunderstanding and complex signaling protocol compared to SIP protocol. And this is why SIP is becoming familiar today, but this does not mean that H.323 is no longer used, instead it is still there supported by Telepresence Endpoints and still supported by Cisco Expressway Series, where the Cisco Expressway-C is the Call Control for both H.323 and SIP signaling protocols.

From the Cisco Collaboration exams ‘s perspective, H.323 is largely covered and detailed in CLCOR and CLCEI (Implementing Cisco Collaboration Cloud and Edge Solutions) courses.

  • How the call setup works?
  • What is the role of H.225 and H.245 signaling messages?
  • How the RTP informations (IP Addresses and RTP ports) are negotiated?

See below the answer using wireshark.

H.323 Phone 1 and H.323 Phone 2 are registered to Cisco Expressway-C with the E.164 1001 and 1002 respectively.

A call is initiated and established from 1001 to 1002.

H.323 Phone 1 10.1.5.130 establishes a TCP connection for a new call with Cisco Expressway-C 10.1.5.20, destination port is 1720.

A Q.931 SETUP message through H.225 protocol is sent by H.323 Phone 1 10.1.5.130 once the TCP connection has been established with Cisco Expressway-C, indicating the Calling party number 1001 and Called party number 1002.

The H.225 message body contains the sourceCallSignalAddress:ip address = 10.1.5.130.

The Cisco Expressway 10.1.5.20 responds with Q.931 CallProceeding indication to H.323 Phone 1.

The Cisco Expressway-C 10.1.5.2O establishes a TCP connection for a new call with the H.323 Phone 2 10.1.5.122, destination port is 1720.

A Q.931 SETUP message through H.225 protocol is sent by Cisco Expressway-C 10.1.5.20 once the TCP connection has been established with H.323 Phone 2, indicating the Calling party number 1001 and Called party number 1002.

The called subscriber H.323 Phone 2 10.1.5.122 responds with Q.931 CallProceeding indication to Cisco Expressway-C 10.1.5.20.

The Q.931 ALERTING message is sent by H.323 Phone 2 10.1.5.122 indicating that the called subscriber is now being ring.

The Q.931 ALERTING message is sent by Cisco Expressway-C 10.1.5.20 indicating the caller 10.1.5.130 that the called subscriber 10.1.5.122 is now being ring.

The H.323 Phone 2 10.1.5.122 answers the call. The Q.931 connect message by is sent by the Called Party 10.1.5.122 to Cisco Expressway-C. The message contains information the H.245 negociation port 49304.

The Q.931 connect message by is sent by the Cisco Expressway-C to H.323 Phone 1. The message contains information the H.245 negociation port 15005.

Now H.323 Phone 1 and Cisco Expressway-C establish a TCP connection for H.245 negociation with destination port 15005.

Caller party negociates the codec by sending the H.245 TerminalCapabilitySet Request message.

Calling Party 10.1.5.130 negociates master-slave by sending the masterSlaveDetermination message.

Now Cisco Expressway-C and H.323 Phone 2 establish a TCP connection for H.245 negociation with destination port 49304.

Called party negotiates the codec by sending the H.245 TerminalCapabilitySet Request message.

CalledParty 10.1.5.122 also negotiates master-slave by sending the masterSlaveDetermination message.

H.323 Phone 2 10.1.5.122 replies with H.245 Master Slave Determination Ack, in the message body the Decision: Slave.

H.323 Phone 2 10.1.5.122 becomes the Slave.

H.323 Phone 1 10.1.5.130 replies with H.245 Master Slave Determination Ack, in the message body the Decision: Master.

H.323 Phone 1 10.1.5.130 becomes the master.

H.323 Phone 1 sends channel open request (openLogicalChannel) to Cisco Expressway-C, RTCP port number is included in the message. the G.711A codec with be used for audio call. The proposal RCTP port of H.323 Phone 1 10.1.5.130 for mediaControlChannel is 28869.

H.323 Phone 2 sends channel open request (openLogicalChannel) to Cisco Expressway-C, RTCP port number is included in the message. the G.711A codec with be used for audio call. The proposal RCTP port of H.323 Phone 2 10.1.5.122 for mediaControlChannel is 23909.

The Calling Party 10.1.5.130 acknowledges the message. The RTP and RTCP port number are included in the message.

In the H.245 message body, under the section mediaChannel and mediaControlChannel, H.323 Phone 1 tells to Cisco Expressway-C this IS my IP address 10.1.5.130 for RTP and RTCP, this is my RTP port number 28868, and this is my RTCP port number 28869.

The Called Party 10.1.5.122 acknowledges the message. The RTP and RTCP port number are included in the message.

In the H.245 message body, under the section mediaChannel and mediaControlChannel, H.323 Phone 2 tells to Cisco Expressway-C this is my IP address 10.1.5.122 for RTP and RTCP, this is my RTP port number 23908, and this is my RTCP port number 23908.

Finally, the Cisco Expressway sends the openLogicalChannel Ack to H.323 Phone 2 10.1.5.122 to inform it about the RTP 28868 and RTCP port 28869 numbers, and the IP address 10.1.5.130 the H.323 Phone 1 will use for RTP flow or audio flow.

Finally, the Cisco Expressway sends the openLogicalChannel Ack to H.323 Phone 1 10.1.5.130 to inform it about the RTP 23908 and RTCP port 23909 numbers, and the IP address 10.1.5.122 the H.323 Phone 2 will use for RTP flow or audio flow.

Now a point to point and one-way RTP flow is established from H.323 Phone 1 to H.323 Phone 2 with Source IP 10.1.5.130, Source Port 28868, Destination IP 10.1.5.122 and Destination Port 23908.

Also, a point to point and one-way RTP flow is established from H.323 Phone 2 to H.323 Phone 1 with Source IP 10.1.5.122, Source Port 23908, Destination IP 10.1.5.130 and Destination Port 28868.

Published by:

Redouane MEDDANE

Redouane MEDDANE is Cisco Instructor CCSI #35458, 3xCCNP Collaboration, Security and Enterprise and he a published author of some of the most important OSPF Protocol, Security and Collaboration books in the world titled OSPF Demystified With RFC, Network Security All-in-one, and Dial Plan and Call Routing Demystified on CUCM. He is also a blogger at ipdemystify.com and writes articles about collaboration and security to demystify the most complex topics. His books are known for their technical depth and accuracy especially the OSPF Demystified With RFC book, which is considered as the best OSPF book in the world and named "One of the best OSPF ebooks of all time" by BookAuthority It gives you a hint at the ability to explain complex topics with remarkable ease. He worked as a Cisco Instructor and consultant indifferent Cisco Learning Partner and awarded twice as Cisco Distinguished Instructor Award and Cisco Security Instructor Excellence Award on 2018 and 2019, and Cisco Collaboration Instructor Excellence Award on 2020. The Distinguished Instructor Award recognizes the top 5% of Cisco's most influential CCSI's who provide the highest quality training experience and demonstrate the best overall instructor performance across multiple Cisco technologie and Instructor Excellence Award recognizes the top 25% of elite CCSIs being recognized for delivering top quality training and maintaining high customer satisfaction in their field of expertise.

Categories CollaborationLeave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s