I know to look for missing RTP sequence numbers with RTP stream analysis. Is there a display filter or Wireshark expert analysis for RTP sequence analysis?
Thanks
Open your capture, go to Telephony -> RTP -> RTP Streams. This will list all RTP streams in your capture.
Now choose the stream you want to analyze and click "Analyze". You can also right-click a stream and select "Prepare Filter" to create a display filter for that stream. Both will show you the packet and sequence numbers.
Thank you for your response, but what I am searching for is a display filter that will display all the packets with RTP sequence number errors. The files I analyzed are usually large (up to terabytes) and analyzing all the RTP streams can be time consuming. I have been thinking of trying Linux to see if it is any faster. I know how to do it for ESP, TS, but I can’t find a display filter for RTP.
Comments
Example capture and screen shot: 5958 - RTP stream analysis shows incorrect number of sequence errors
The flag is set in tap-rtp-analysis.c and displayed by rtp_analysis_dialog.cpp.
There are two Expert Info fields in packet-rtp.c:
{ &ei_rtp_fragment_unfinished, { "rtp.fragment_unfinished", PI_REASSEMBLE, PI_CHAT, "RTP fragment, unfinished", EXPFILL }}, { &ei_rtp_padding_missing, { "rtp.padding_missing", PI_MALFORMED, PI_ERROR, "Frame has padding, but not all the frame data was captured", EXPFILL }},The question is "Does the RTP dissector have enough info to flag missing sequence numbers with an Expert Info?"