This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

decoding the data in RTSP interleaved packets as RTP

0

I was wondering how to decode the data in RTSP interleaved packets as RTP, like when in case of rtp over udp, we can use the 'decode as' feature on the UDP packet and select RTP and can see the RTP headers. I want to do something similar in RTSP interleaved case.

asked 01 Dec '16, 21:50

streamfanatic's gravatar image

streamfanatic
6112
accept rate: 0%


One Answer:

0

Have you tried Decode As RTSP? Interleaved data is a feature of RTSP (see RFC 2326, Section 10.12).

answered 03 Dec '16, 02:51

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

Let me try and explain what I mean, Generally in RTSP/RTP streaming the RTSP protocol controls the stream and is usually over TCP, and the actual stream data is sent over UDP on a different port after RTP packetization, so in wireshark one would see a seperate UDP and TCP stream. This UDP stream can then be decoded as RTP using the menu options, this allows wireshark to display the RTP header fields, this helps in analyzing it also we can extract the stream from the RTP packetized stream.

Now coming to RTSP interleave case, the RTP packets and the RTSP commmands both are sent over the same protocol on the same port, the RTP packets are preceeded by a small header and interleaved with the RTSP commands, what I am looking to get done is to somehow decode these interleaved RTP packets and see the RTP header values and extract the encoded stream.

I hope this gives some clarity, do let me know if there is a way to do this with wireshark.

(05 Dec '16, 01:11) streamfanatic

This is handled by the RTSP dissector. When it sees a packet beginning with $, it assumes interleaved RTSP/RTP and it will invoke the appropriate subdissector (RTP/RTCP). If a stream is not recognized as RTSP, you can use the Decode As functionality as mentioned in my answer.

Have you tried this already? It is supposed to be supported by Wireshark.

(05 Dec '16, 01:20) Lekensteyn

I can see the packets as RTSP interleaved in wireshark, but I am looking to find a way to decode the data that follows the header that starts with $, this data is RTP, but I am not sure how to see this as RTP or extract this packet using wireshark.

(05 Dec '16, 01:38) streamfanatic

The following data is supposed to be decoded automatically as RTP. If not, do you have a capture file that demonstrates the issue?

(05 Dec '16, 02:01) Lekensteyn

I have the file, but at work I am restricted, I wont be able to share the capture. The dissector doesnt seem to be working in this case. I am using Version 1.12.4 (v1.12.4-0-gb4861da from master-1.12) dont think the version is the issue though.

(05 Dec '16, 03:45) streamfanatic

13 0.100180000 10.1.29.34 10.1.29.26 TCP 605 Interleaved channel 0x00, 2007 bytes

(05 Dec '16, 03:47) streamfanatic

Please try with 2.0 or newer, there was a change (v1.99.8rc0-495-g093aef0) that allows further dissection of data as RTP.

(05 Dec '16, 04:30) Lekensteyn

tried with Version 2.0.5 (v2.0.5-0-ga3be9c6 from master-2.0) still the sub dissectors for rtp are'nt working.

(06 Dec '16, 04:48) streamfanatic

Consider filing a bug report at https://bugs.wireshark.org/bugzilla/ with a capture that demonstrates the issue, without more details it will be too much effort to find the issue.

(06 Dec '16, 05:20) Lekensteyn

Thanks Lekensteyn for your time. Appreciate it.

(06 Dec '16, 05:34) streamfanatic
showing 5 of 10 show 5 more comments