same packet decoded as different UDP/RTP between MacOS and other linux machine
Hi,
I tried to decode a pcapng file via two different machines as title, but they showed two different results.
1.. MacOS: wireshark 3.4.4, had setup enable_protocol:rtp_udp, disable:rtp_event shows the packet is RTP or RTCP, then can decode
"en5","22:47:22.682346000 PST","801","0.031969","RTP","1.2.3.4","5.6.7.8","0xSSRC","rtp.timestamp","rtp.seq"
(ip and ssrc number I just replaced by making up)
2.. Linux server: wireshark 2.6.2, only command line environment, so not sure the same setting kick in or not (copy the MacOS .config/wireshark to linux machine.) but it shows
"en5","22:47:22.682346000 PST","801","0.031969","UDP","1.2.3.4","5.6.7.8",,,
Protocol shows UDP instead of RTP, and no rtp.ssrc information. (this is the same packet from the same pcapng file)
I want to know is that because configuration is not kicked in(how to check linux part if i don't have GUI)? or because wireshark version? or any other cause?
Thanks!
These version differ a lot. So different results are expected.
Yes, but I feel it can be configured to same output, but just not sure how to do it.
I don't know if this is causing the issue, but Wireshark always does a 2-pass dissection and tshark, by default, only does a 1-pass. Add the
-2flag to tshark to run a 2-pass dissection.You might also want to try using tshark on the mac as a more like-for-like comparison.
You can use -the
-C <config profile>flag for tshark to explicitly select a configuration profile.I saw your answer to similar issue on the other thread, let me try if 2-pass can solve my problem. Thanks~
And one thing for the
-C <config profile>, if I adjust any protocol/preferences in wireshark app. which following files will reflect the setting under .config/wireshark? I saw heuristic_protos, recent, preferences will have some value, but other like profiles/enabled_protos are empty.So which file should I actually
-C <config profile>?Why? Not all of the output of Wireshark/TShark is determined by the configuration; if, for example, version 2.6.2 does not have a dissector for the XYZZY protocol but version 3.4.4 does have a dissector for that protocol, then a capture containing XYZZY packets will dissect differently on the two versions of Wireshark unless you disable the XYZZY protocol on 3.4.4 - there's nothing you can do in the configuration of 2.6.2 to get it to dissect XYZZY other than installing a plugin for the XYZZY protocol, and that may require you to write such a dissector or have somebody else write it.
The
<config profile>is actually a directory named after the profile that contains the profile specific versions of files such as preferences.You can find the paths to the root of the profiles directory in Wireshark by viewing Help -> About Wireshark -> Folders or in tshark by using
-G folders(may not work in your very old Linux version). Profiles are either in the personal or global configuration directories.Thanks for both reply!
@Guy Harris, I am new to wireshark, so don't know if it determined by versions. Based on my case, and I read some posts to guess it looks like UDP can not be decoded as RTP or RTCP, and not sure if it because of 2.6.2. It looks not a uncommon case, that's why I am looking for if there is a way to do it. (like decode as... or other setting change)
One additional information is, it only happened in sender side, looks like sender side is decoded as UDP. so I guess it may also related to udp_stun. but I should enabled both rtp_udp and udp_stun. that's why I asked how can I check current tshark setting.
@grahamb
-2did not work for me. It still show the same result. And myprofilesfolder is empty.Re the profile and
-C <config profile>, to copy settings from the newer version on the mac to the older version on Linux, you should probably create a profile on the mac with the required settings and then copy the complete profile directory from the mac to the appropriate destination on Linux system and select that profile with the-Cflag.