ansaurus

Question

How do I determine if a packet is RTP/RTCP?

Answer 1

+1 A:

I would look at the packet detectors in Wireshark, which can decode most common protocols available.

Yann Ramin 2010-05-26 19:40:02

I appreciate the effort theatrus, but it doesn't really answer my question. I'm really more interested in the theoretical knowledge of the packet structure so I can understand how to go about solving the problem. How does one determine a UDP packet is actually an RTP or RTCP packet? I can't find anything in the UDP header that helps with this.

Chris Holmes 2010-05-27 21:41:57

Nothing in the UDP header will tell you apart from the port number. You need to perform pattern matching on the packet data.

Yann Ramin 2010-05-28 05:20:36

I think I am beginning to figure out there is a lot more to this puzzle than meets the eye. We're trying to detect traffic from the H.323 protocol, and what I'm reading is that it uses a bevvy of TCP ports as well to setup the communication before the RTP traffic even starts. So far I am having little luck in finding good info about how to go about capturing this traffic though.

Chris Holmes 2010-06-02 15:26:56

Answer 2

A:

I believe you need to look at the SIP packets that come before the RTP packets.

There is a discussion on this issue on Pcap.Net site.

brickner 2010-05-28 21:14:54

Thanks brickner. We're looking at H.323 traffic instead of SIP, so that changes things a bit. It's looking rather complicated at this point.

Chris Holmes 2010-06-02 15:27:22

Answer 3

A:

Look at the definitions for RTP and RTCP packets in RFC 3550:

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|V=2|P|X|  CC   |M|     PT      |       sequence number         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                           timestamp                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           synchronization source (SSRC) identifier            |
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
|            contributing source (CSRC) identifiers             |
|                             ....                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I won't reproduce the legend for all of the above - it's quite long - but take a look at Section 5.1.

With that in hand you'll see there's not a lot you can do to determine if a packet contains RTP/RTCP. Best of all would be to sniff, as other posters have suggested, the media stream negotiation. Second best would be some sort've pattern matching over a sequence of packets: the first two bits will be 10, followed by the next two bits being constant, followed by bits 9 through 15 being constant, then 16 -> 31 incrementing, and so on.

Frank Shearar 2010-07-11 08:04:02

Thanks Frank. As it turns out, checking the bytes in the RTP header and checking for basically the version and payload type are enough to determine if it's an RTP packet. At least so far I haven't found any other packets on the network that have the same first few bits. Looking for that and then the SSRC was enough to figure out which packets were RTP. But, I changed jobs and don't have to worry about the rest of this problem, so you get the checkmark!

Chris Holmes 2010-07-16 18:18:03

Answer 4

A:

@chris holmes: i want to capture voip packets. I had captured data packets using winpcap and wireshark. Plz guide wat can i further do in that code to capture the voice ones.

atihsk 2010-10-03 16:19:50

ansaurus

tags:

views:

answers:

How do I determine if a packet is RTP/RTCP?

related questions