The tool for playing VoIP calls is called RTP Player. It shows RTP streams and its waveforms, allows play stream and export it as audio or payload to file. Its capabilities depends on supported codecs.
RTP Player is able to play any codec supported by an installed plugins. The codecs supported by RTP Player depend on the version of Wireshark you’re using. The official builds contain all of the plugins maintained by the Wireshark developers, but custom/distribution builds might not include some of those codecs. To check your Wireshark follow this procedure:
- open → window
- switch to tab
- select codec as
Wireshark can be used for RTP stream analysis. User can select one or more streams which can be played later. RTP Player window maintains playlist (list of RTP streams) for this purpose.
Playlist is created empty when RTP Player window is opened and destroyed when window is closed. RTP Player window can be opened on background when not needed and put to front later. During its live, playlist is maintained.
When RTP Player window is opened, playlist can be modified from other tools (Wireshark windows) in three ways:
- button → clears existing playlist and adds streams selected in the tool.
- button → adds streams selected in the tool to playlist. Duplicated streams are not inserted again.
- button → removes streams selected in the tool from playlist, if they are in the playlist.
When playlist is empty, there is no difference between and . When RTP Player window is not opened, all three actions above open it.
is useful e. g. in case user selected all RTP streams and wants to remove RTP streams from specific calls found with .
Tools below can be used to maintain content of playlist, they contain button. You can use one of procedures (Note: action is demonstrated):
- Open → → window, it will show all streams in the capture. Select one or more streams and then press . Selected streams are added to playlist.
-
Select any RTP packet in packet list, open → → window. It will show analysis of selected forward stream and its reverse stream (if is pressed during window opening). Then press . Forward and reverse stream is added to playlist.
- window can be opened from other tools too.
- Open → or → window, it will show all calls. Select one or more calls and then press . It will add all RTP streams related to selected calls to playlist.
- Open window in → or → window, it will show flow sequence of calls. Select any RTP stream and then press . It will add selected RTP stream to playlist.
![[Note]](wsug_graphics/note.svg) | Note |
|---|---|
|
Same approach with set/add/remove actions is used for RTP Stream Analysis window. The playlist is there handled as different tabs in the window, see RTP Stream Analysis window. |
RTP is carried usually in UDP packets, on random source and destination port. Therefore without "help" Wireshark can’t recognize it and shows just UDP packets. Wireshark recognizes RTP streams based on VoIP signaling, e. g. based on SDP message in SIP signaling. When signaling is not captured, Wireshark shows just UDP packets. There are multiple settings which helps Wireshark to recognize RTP even there is no related signaling.
You can use Decode As… function from → menu or in mouse context menu. Here you can set that traffic on specific source or destination should be decoded as RTP. You can save settings for later use.
Use of menu works fine, but for many streams it is arduous.
You can enable heuristic dissector in → . See Section 11.4, “Control Protocol dissection” for details. Once is enabled, Wireshark tries every UDP packet to decode as RTP. If decoding is possible, packet (and entire UDP stream) is decoded as RTP.
When RTP stream uses well know port, heuristic dissector ignores it. So you might miss some RTP streams. You can enable setting for udp protocol → → → , see Section 11.5, “Preferences”. In this case heuristics dissector tries to decode UDP packet even it uses well known.
| Note |
|---|---|
|
Take into account that heuristics is just simple "test" whether packet can be read as RTP. It can be false positive and you can see decoded as RTP more UDP packets than expected. When you enable → , it increases possibility of false positives. If you capture all traffic in network, false positives rate can be quite high. |
Processing of RTP and decoding RTP voice takes resources. There are raw estimates you can use as guidelines…
RTP Streams window can show as many streams as found in the capture. Its performance is limited just by memory and CPU.
RTP Player can handle 1000+ streams, but take into account that waveforms are very small in this case.
RTP Player creates temporary file for decoding of each stream. If your OS or user has OS enforced limit for count of opened files (most of Unix/Linux systems), you can see less streams that was added to playlist. Warnings are printed on console in this case and you will see less streams in the playlist than you send to it from other tools.
RTP Player plays audio by OS sound system and OS is responsible for mixing audio when multiple streams are played. In many cases OS sound system has limited count of mixed streams it can play/mix. RTP Player tries to handle playback failures and show warning. If it happens, just mute some streams and start playback again.
RTP Analysis window can handle 1000+ streams, but it is difficult to use it with so many streams - it is difficult to navigate between them. It is expected that RTP Analysis window will be used for analysis of lower tens of streams.