Extract RTP sequence numbers from RTP over QUIC

asked 2022-02-01 00:01:30 +0000

mjwalker gravatar image

updated 2022-02-01 08:28:25 +0000

grahamb gravatar image

Hi all,

I am working on a project comparing RTP over QUIC with RTP over UDP and as part of the analysis, I need to extract RTP packets using tshark (version 3.6.1). For UDP this works fine and I get the following output:

27 0.458323526    10.0.0.3 → 10.0.0.1 RTP 66 PT=DynamicRTP-Type-96, SSRC=0x9291B292, Seq=19574, Time=232402115
28 0.458435984    10.0.0.3 → 10.0.0.1 RTP 59 PT=DynamicRTP-Type-96, SSRC=0x9291B292, Seq=19575, Time=232402115
29 0.458677981    10.0.0.3 → 10.0.0.1 RTP 1442 PT=DynamicRTP-Type-96, SSRC=0x9291B292, Seq=19576, Time=232402115
30 0.458696067    10.0.0.3 → 10.0.0.1 RTP 1442 PT=DynamicRTP-Type-96, SSRC=0x9291B292, Seq=19577, Time=232402115
31 0.458714425

This is exactly what I am looking for. However, for QUIC I am struggling to produce equivalent output. By providing the SSL keys I am able to decrypt the QUIC packets and view the stream data but I have been unable to decode this data as RTP packets. As a last resort, I am considering passing -O quic to tshark and extracting the first 4 bytes from the stream data for each packet In order to identify the RTP sequence number but I feel that there must be a better way.

Unfortunately, I am unable to upload the pcap files I am working with due to my account being new. Does anyone know how I would extract the RTP sequence numbers from a pcap of a QUIC transmission?

edit retag flag offensive close merge delete

Comments

Put the file(s) you would like to share on a public file share - Dropbox, Google, Microsoft, ... - then update your question with a link to them.

Chuckc gravatar imageChuckc ( 2022-02-01 03:28:31 +0000 )edit

Could you verify that the data should be in the 'stream data'? The stream date is like TCP over QUIC. I guess you have to look for the DG (Datagram) in the trace, which is the equivalent to UDP over QUIC.

Jürgen gravatar imageJürgen ( 2022-03-15 17:00:55 +0000 )edit