Flood of UDP packets Len=172

Syco · August 4, 2016, 3:06pm

Hello
I have a question that might be very stupid, but I can’t find an answer anywhere.
A client has been complaining that we flood him with udp packets.
I’ve got one packet and its reply and pasted it to http://pastebin.com/raw/yQrHCr3V
It’s not part of the signaling, nor part of the rtp, and standing to wireshark is not part on any call (if I’m using it correctly)
So, is it normal for asterisk to send those? Are they part of a call even if they don’t contain any reference to calls? Why would they be sent?

Sorry again for the stupidity of the question, I hope you can point me in the right direction.

mcrichard · August 4, 2016, 3:50pm

172 is the typical size of G.711 (PCMU or PCMA) packets. It means 20 msec data (160 bytes) + the 12 byte RTP header.
It is very possible that these packets are coming from an aborted call(s), so your server doesn’t keep track if it anymore, but the media layer is still sending (maybe from an IVR or as received from the other peer).

Wireshark with the default settings will not recognize it as RTP (only if sees also the signaling), however there is a setting in wireshark to force RTP detection also for these.