Display filter for missing RTP sequence

2021-03-09

I know to look for missing RTP sequence numbers with RTP stream analysis. Is there a display filter or Wireshark expert analysis for RTP sequence analysis?


Example capture and screen shot: 5958 - RTP stream analysis shows incorrect number of sequence errors

The flag is set in tap-rtp-analysis.c and displayed by rtp_analysis_dialog.cpp.

There are two Expert Info fields in packet-rtp.c:

        { &ei_rtp_fragment_unfinished, { "rtp.fragment_unfinished", PI_REASSEMBLE, PI_CHAT, "RTP fragment, unfinished", EXPFILL }},
        { &ei_rtp_padding_missing, { "rtp.padding_missing", PI_MALFORMED, PI_ERROR, "Frame has padding, but not all the frame data was captured", EXPFILL }},

The question is "Does the RTP dissector have enough info to flag missing sequence numbers with an Expert Info?"

2021-03-10

Open your capture, go to Telephony -> RTP -> RTP Streams. This will list all RTP streams in your capture.

Now choose the stream you want to analyze and click "Analyze". You can also right-click a stream and select "Prepare Filter" to create a display filter for that stream. Both will show you the packet and sequence numbers.

Thank you for your response, but what I am searching for is a display filter that will display all the packets with RTP sequence number errors. The files I analyzed are usually large (up to terabytes) and analyzing all the RTP streams can be time consuming. I have been thinking of trying Linux to see if it is any faster. I know how to do it for ESP, TS, but I can’t find a display filter for RTP.

