# Revision history [back]

### Decode TURN Traffic as RTP

Hey Guys,

i dont find a stable solution to convert recorded TURN Traffic with Wireshark to a RTP Stream to analyze it. Hope you can help me :)

If I have a tcp dump with a Turn Session, I have the following Problem:

• RTP is encapsulated in TURN | https://tools.ietf.org/rfc/rfc5766.txt

11.4.  The ChannelData Message

The ChannelData message is used to carry application data between the
client and the server.  It has the following format:

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Channel Number        |            Length             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
/                       Application Data                        /
/                                                               /
|                                                               |
|                               +-------------------------------+
|                               |
+-------------------------------+

• The TURN Packte bring 4 bytes around the RTP Data and will be encoded as STUN packet

• Use the "decode as" function does'nt help, because Wireshark then will interpret the TURN header as RTP header with it result in a wrong RTP Version. (RTP Version=1)

Is there any way to remove the enclosing 4bytes from the TURN header (without export manual search&replace) to decode the package as RTP?

The goal should be to see the RTP Header, and can work with the Stream in VoIP::RTP::RTP Stream

Thanks and best regards, Basti

### Decode TURN Traffic as RTP

Hey Guys,

i dont find a stable solution to convert recorded TURN Traffic with Wireshark to a RTP Stream to analyze it. Hope you can help me :)

If I have a tcp dump with a Turn Session, I have the following Problem:

• RTP is encapsulated in TURN | https://tools.ietf.org/rfc/rfc5766.txt

11.4.  The ChannelData Message

The ChannelData message is used to carry application data between the
client and the server.  It has the following format:

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Channel Number        |            Length             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
/                       Application Data                        /
/                                                               /
|                                                               |
|                               +-------------------------------+
|                               |
+-------------------------------+

• The TURN Packte bring 4 bytes around the RTP Data and will be encoded as STUN packet

• Use the "decode as" function does'nt help, because Wireshark then will interpret the TURN header as RTP header with it result in a wrong RTP Version. (RTP Version=1)

Is there any way to remove the enclosing 4bytes from the TURN header (without export manual search&replace) to decode the package as RTP?

The goal should be to see the RTP Header, and can work with the Stream in VoIP::RTP::RTP Stream

Thanks and best regards, Basti

### Decode TURN Traffic as RTP

Hey Guys,

i dont find a stable solution to convert recorded TURN Traffic with Wireshark to a RTP Stream to analyze it. Hope you can help me :)

If I have a tcp dump with a Turn Session, I have the following Problem:

• RTP is encapsulated in TURN | https://tools.ietf.org/rfc/rfc5766.txt

11.4.  The ChannelData Message

The ChannelData message is used to carry application data between the
client and the server.  It has the following format:

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Channel Number        |            Length             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
/                       Application Data                        /
/                                                               /
|                                                               |
|                               +-------------------------------+
|                               |
+-------------------------------+

• The TURN Packte bring 4 bytes around the RTP Data and will be encoded as STUN packet

• Use the "decode as" function does'nt help, because Wireshark then will interpret the TURN header as RTP header with it result in a wrong RTP Version. (RTP Version=1)

Is there any way to remove the enclosing 4bytes from the TURN header (without export manual search&replace) to decode the package as RTP?

The goal should be to see the RTP Header, and can work with the Stream in VoIP::RTP::RTP Stream

Thanks and best regards, Basti