same packet decoded as different UDP/RTP between MacOS and other linux machine
Hi,
I tried to decode a pcapng file via two different machines as title, but they showed two different results.
1.. MacOS: wireshark 3.4.4, had setup enable_protocol:rtp_udp, disable:rtp_event shows the packet is RTP or RTCP, then can decode
"en5","22:47:22.682346000 PST","801","0.031969","RTP","1.2.3.4","5.6.7.8","0xSSRC","rtp.timestamp","rtp.seq"
(ip and ssrc number I just replaced by making up)
2.. Linux server: wireshark 2.6.2, only command line environment, so not sure the same setting kick in or not (copy the MacOS .config/wireshark to linux machine.) but it shows
"en5","22:47:22.682346000 PST","801","0.031969","UDP","1.2.3.4","5.6.7.8",,,
Protocol shows UDP instead of RTP, and no rtp.ssrc information. (this is the same packet from the same pcapng file)
I want to know is that because configuration is not kicked in(how to check linux part if i don't have GUI)? or because wireshark version? or any other cause?
Thanks!
These version differ a lot. So different results are expected.
Yes, but I feel it can be configured to same output, but just not sure how to do it.
I don't know if this is causing the issue, but Wireshark always does a 2-pass dissection and tshark, by default, only does a 1-pass. Add the
-2flag to tshark to run a 2-pass dissection.You might also want to try using tshark on the mac as a more like-for-like comparison.
You can use -the
-C <config profile>flag for tshark to explicitly select a configuration profile.I saw your answer to similar issue on the other thread, let me try if 2-pass can solve my problem. Thanks~
And one thing for the
-C <config profile>, if I adjust any protocol/preferences in wireshark app. which following files will reflect the setting under .config/wireshark? I saw heuristic_protos, recent, preferences will have some value, but other like profiles/enabled_protos are empty.So which file should I actually
-C <config profile>?