How separate RTP packets from the rest
Question
I got a pcap file with voip conversation, how i can separate RTP packets from the other packets?
I can obtain sip packets, but I can't differenciate the RTP packets from the rest.
4 answers
solution1
1 ACCPTED 2011-12-12 13:08:40
solution2
1 2011-12-12 13:41:35
If you want to see the RTP traffic in wireshark then:
- Select Analyze->Display Filters...
- Select "UDP", OK
- Right click on any UDP packet and select "Decode as..."
- Select "RTP" from the list, OK
- Now you can see all RTP packets.
Hope that helps. :)
ps edited to note that this is for Wireshark. Thanks to a commentor for pointing that out!
solution3
1 2011-12-12 15:01:36
Check @macs recommendation about PCap filter. If this cannot satisfy your needs (eg you need to filter out RTP packets of specific SIP session) there's no simple way. You need to parse SIP messages, retrieve RTP port numbers, takes packets going to/from these ports in particular time period and (optionally) check if these packets are RTP by checking their headers ( magic number in headers)
solution4
0 2012-01-18 10:32:17
An open source software that extract the RTP/RTCP packets from a pcap file are:
From the source code you can view and understand the methodologies used.
I can obtain sip packets, but I can't differenciate the RTP packets from the rest.
If you are able to decode the SIP, then you can find (inside INVITE message) the SDP message. If you decode it you can find the IP and PORT of RTP "stream" (and RTCP => port + 1). With these informations you can identify uniquely the RTP and RTCP packets. Keep in mind that there are often packages (with the same IP-PORT) with the STUN protocol which must be separate from RTP. You have to consider where is the packet capture (network context and constraints), you may take into account NAT.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.