# Revision history [back]

### Strange Phenomenon in Analysing RTP

I am tapping into a RTP stream between host A and B with a passive Ethernet adaptor (See tutorials) Both interfaces on A and B are configured as 10bT full duplex.

When I tap into the RTP stream A>B I get the stream decoded as RTP

When I tap into the RTP stream B>A RTP is not recognized.

Below is the Hex Dump of the RTP packet:

HEX DUMP RTP B>A : no RTP recognition, UNICAST

0000 80 00 04 31 00 02 9e a0 44 5e 61 58 48 02 08 db ...1.... D^aXH... 0010 18 93 42 11 38 92 5a e1 4a 9a aa 5b bf 4e d5 f6 ..B.8.Z. J..[.N.. 0020 e8 d9 33 63 85 6e 9b b7 a8 ..3c.n.. .

HEX DUMP RTP A>B : with RTP recognition, MULTICAST

0000 80 00 1b 8d c9 f1 38 20 50 e1 5b 9c 48 8a 6a ba ......8 P.[.H.j. 0010 7a 10 d1 c1 0c 37 3d 83 95 64 bc d0 74 89 9c ed z....7=. .d..t... 0020 79 7b 23 31 95 46 d0 86 2f 51 19 8e 42 3b 4d a1 y{#1.F.. /Q..B;M. 0030 f5 fa 47 94 d1 59 85 96 71 4b b0 ..G..Y.. qK.

As you can see the first 4 octets in the RTP header are equal. The rest is time stamp and SSRC. What can make the difference? The only difference in the RTP streams is that A>B is multicast and B>A is unicast.

Regards Sporex

### Strange Phenomenon in Analysing RTP

I am tapping into a RTP stream between host A and B with a passive Ethernet adaptor (See tutorials) Both interfaces on A and B are configured as 10bT full duplex.

When I tap into the RTP stream A>B I get the stream decoded as RTP

When I tap into the RTP stream B>A RTP is not recognized.

Below is the Hex Dump of the RTP packet:

HEX DUMP RTP B>A : no RTP recognition, UNICAST

0000 80 00 04 31 00 02 9e a0 44 5e 61 58 48 02 08 db ...1.... D^aXH... 0010 18 93 42 11 38 92 5a e1 4a 9a aa 5b bf 4e d5 f6 ..B.8.Z. J..[.N.. 0020 e8 d9 33 63 85 6e 9b b7 a8 ..3c.n.. .

HEX DUMP RTP A>B : with RTP recognition, MULTICAST

0000 80 00 1b 8d c9 f1 38 20 50 e1 5b 9c 48 8a 6a ba ......8 P.[.H.j. 0010 7a 10 d1 c1 0c 37 3d 83 95 64 bc d0 74 89 9c ed z....7=. .d..t... 0020 79 7b 23 31 95 46 d0 86 2f 51 19 8e 42 3b 4d a1 y{#1.F.. /Q..B;M. 0030 f5 fa 47 94 d1 59 85 96 71 4b b0 ..G..Y.. qK.

As you can see the first 4 2 octets in the RTP header are equal. The rest is sequence number, time stamp and SSRC. SSRC which must obviously be differnent. What can make the difference? difference in detection? The only difference in the RTP streams is that A>B is multicast and B>A is unicast.

Regards Sporex Sporex

 3 None grahamb 23449 ●4 ●794 ●226 https://www.wireshark.org

### Strange Phenomenon in Analysing RTP

I am tapping into a RTP stream between host A and B with a passive Ethernet adaptor (See tutorials) Both interfaces on A and B are configured as 10bT full duplex.

When I tap into the RTP stream A>B I get the stream decoded as RTP

When I tap into the RTP stream B>A RTP is not recognized.

Below is the Hex Dump of the RTP packet:

HEX DUMP RTP B>A : no RTP recognition, UNICAST

0000  80 **80 00 04 31 31** 00 02 9e a0  44 5e 61 58 48 02 08 db   ...1.... D^aXH...
0010  18 93 42 11 38 92 5a e1  4a 9a aa 5b bf 4e d5 f6   ..B.8.Z. J..[.N..
0020  e8 d9 33 63 85 6e 9b b7  a8                        ..3c.n.. ..


HEX DUMP RTP A>B : with RTP recognition, MULTICAST

0000  80 **80 00 1b 8d 8d** c9 f1 38 20  50 e1 5b 9c 48 8a 6a ba   ......8  P.[.H.j.
0010  7a 10 d1 c1 0c 37 3d 83  95 64 bc d0 74 89 9c ed   z....7=. .d..t...
0020  79 7b 23 31 95 46 d0 86  2f 51 19 8e 42 3b 4d a1   y{#1.F.. /Q..B;M.
0030  f5 fa 47 94 d1 59 85 96  71 4b b0                  ..G..Y.. qK.qK.


As you can see the first 2 octets in the RTP header are equal. The rest is sequence number, time stamp and SSRC which must obviously be differnent. What can make the difference in detection? The only difference in the RTP streams is that A>B is multicast and B>A is unicast.

Regards Sporex