THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How wireshark decodes RTP packets from UDP

Hello,

I'm interested how Wireshark decodes RTP packets (which criteria is used to separate them from UDP). I'm trying to create a RTP packet flow using scapy, I' entering all the information needed in RTP hrader:

while seq < 10:
  ip_layer = IP(src = "10.0.1.21", dst = "10.0.1.40")
  udp_layer = UDP(sport = 16998, dport = 17000)
  rtp_layer = RTP(version=2, padding=0, extension=0, marker=1, payload_type=8, sequence=seq, timestamp=10, sourcesync=0)
  packet = ip_layer/udp_layer/rtp_layer
  send(packet)
  seq = seq + 1
  time_s = time_s + 160

and still packets in wireshark are shown as UDP. I found an option in Preferences -> Protocols -> RTP "Payload Type for RFC2198" = 99 and wondered what 99 means (as didn't find any information on RFC document), maybe I need to add some kind of a special payload next to RTP header?.. Any help would be appreciated. Thanks in advance

geek_wannabe's avatar
3
geek_wannabe
asked 2020-11-23 10:49:28 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

TCP and UDP protocols are dissected based on port or heuristics. In your case you can do "Decode as" and select RTP to dissect the packet as RTP. You can also activate the heuristic for RTP. Heuristic = guessing the protocol by looking at packet data. The RTP heuristic is weak meaning it often makes mistakes and labels packt as RTP even if they are not. In case of RTP Wireshark also looks at control signaling if present (like SIP and SDP) if present and dissects the traffic on the port and IP combination as RTP.

Anders's avatar
5k
Anders
answered 2020-11-23 12:06:58 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Here is what I do: Analyze -> Enabled Protocols Search for 'rtp' Enable rtp_udp

Network Direction's avatar Network Direction (2020-11-23 20:22:50 +0000) edit
more
  • delete

Thanks, this worked perfectly!

geek_wannabe's avatar geek_wannabe (2020-11-23 21:01:08 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer