Ask Your Question

Strange Phenomenon in Analysing RTP

asked 2020-01-07 20:04:56 +0000

sporex gravatar image

updated 2020-01-08 09:53:01 +0000

grahamb gravatar image

I am tapping into a RTP stream between host A and B with a passive Ethernet adaptor (See tutorials) Both interfaces on A and B are configured as 10bT full duplex.

When I tap into the RTP stream A>B I get the stream decoded as RTP

When I tap into the RTP stream B>A RTP is not recognized.

Below is the Hex Dump of the RTP packet:

HEX DUMP RTP B>A : no RTP recognition, UNICAST

0000  **80 00 04 31** 00 02 9e a0  44 5e 61 58 48 02 08 db   ...1.... D^aXH...
0010  18 93 42 11 38 92 5a e1  4a 9a aa 5b bf 4e d5 f6   ..B.8.Z. J..[.N..
0020  e8 d9 33 63 85 6e 9b b7  a8                        ..3c.n.. .

HEX DUMP RTP A>B : with RTP recognition, MULTICAST

0000  **80 00 1b 8d** c9 f1 38 20  50 e1 5b 9c 48 8a 6a ba   ......8  P.[.H.j.
0010  7a 10 d1 c1 0c 37 3d 83  95 64 bc d0 74 89 9c ed   z....7=. .d..t...
0020  79 7b 23 31 95 46 d0 86  2f 51 19 8e 42 3b 4d a1   y{#1.F.. /Q..B;M.
0030  f5 fa 47 94 d1 59 85 96  71 4b b0                  ..G..Y.. qK.

As you can see the first 2 octets in the RTP header are equal. The rest is sequence number, time stamp and SSRC which must obviously be differnent. What can make the difference in detection? The only difference in the RTP streams is that A>B is multicast and B>A is unicast.

Regards Sporex

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2020-01-08 05:26:01 +0000

Jaap gravatar image

RTP is notoriously difficult to identify correctly among UDP netnet traffic. Therefore Wireshark relies on a few different methods to do so. First it uses the signalling protocols (e.g. SIP/SDP, H.323/H.245, etc) to learn the addresses and ports of the RTP endpoints. Another way it to depend on the user to use "Decode as..." to map the RTP dissector to a stream. As a last resort (off by default) Wireshark can have the "rtp_udp" heuristic dissection option enabled (see the enabled protocols dialog), which tries to identify, using the limited fields available, RTP packets.

What's happening here I don't know, if you can share an actual capture file (via some file sharing service) there might be more to tell.

edit flag offensive delete link more


Thank you so much. I have got it. The "decode as" was doing the job.

sporex gravatar imagesporex ( 2020-01-08 09:22:38 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-01-07 20:04:56 +0000

Seen: 144 times

Last updated: Jan 08 '20