Ethereal-dev: RE: [Ethereal-dev] RE: [Ethereal-users] Not seeing RTP or RTCP tr affic on Win2K

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Joe Aiello" <Joe.Aiello@xxxxxxxxxxxx>
Date: Wed, 17 Apr 2002 14:49:10 -0700
I think this was misleading.  Sniffer WAN files is terminology in Sniffer
(in their save/as dialog).  WAN seems to refer more to their current Windows
version file format.  They are not PPP, but Ethernet captures.  Since
Ethereal can already read the format (as identified in Ethereal as Sniffer
Windows 2.00x), someone knows the file format.

The reason we originally talked about this was that I have a custom tool
that will extract the audio payload and create sound files from the Sniffer
Windows format capture files.  I use Ethereal to capture and filter the
traffic and save to Sniffer DOS format.  I then read this in to Sniffer and
save as a "Sniffer WAN"  .cap file.  I can then use my tool to create the
sounds files.  

As for RTP, they do it somehow and I have yet to have a misrepresented
packet.  Since RTP ports change all the time (Cisco uses 16K ports), I know
there is no pre-configured port maps. I use Ethereal all the time and use
the "decode as" often and it works perfectly (for both halves of the RTP
conversation).

Thanks for looking at it.

Joe


-----Original Message-----
From: Guy Harris [mailto:guy@xxxxxxxxxx]
Sent: Wednesday, April 17, 2002 2:36 PM
To: Joe Aiello
Cc: ethereal-dev@xxxxxxxxxxxx
Subject: Re: [Ethereal-dev] RE: [Ethereal-users] Not seeing RTP or RTCP
traffic on Win2K

On Wed, Apr 17, 2002 at 11:44:45AM -0700, Joe Aiello wrote:
> I noticed that Ethereal can read the Sniffer WAN.cap files and indicate
that
> it is a "Network Associates Sniffer (Windows-Based) 2.00x format.  This is
> displayed if you select file/save as.  It seems the work to decode the
> format is there, just not to save as.

Unfortunately, it appears that Sniffer WAN (PPP) captures look like
Ethernet captures; we'd have to implement code in Wiretap to translate
PPP headers to Ethernet headers (including mapping protocol types - and,
presumably, *discarding* packets for protocols that have PPP types but
not Ethernet types) to be able to save them.

I will not be doing that any time soon.  My plate is already massively
over-full with other things....

> As for RTP, they must look at the UDP packets and check for the RTP
header.

Perhaps they do, but, for what it's worth, we don't.  I'm not sure I see
anything immediately obvious that would work well as a heuristic to
detect RTP.  (Are you certain the Sniffer isn't configured to treat
either port 1062 or port 17654 as RTP ports?)

So, until somebody can come up with a heuristic to detect RTP traffic
*without* bogusly treating a bunch of non-RTP traffic as RTP, you'll
either have to use the Sniffer, or use the "Decode As" option in
Ethereal to force it to decode particular ports as particular protocols
(selecting the first packet, selecting "Decode As..." from the Tools
menu, selecting the source or destination port, selecting "RTP" from
the list of protocols, and clicking "OK" causes it to show that traffic
as RTP traffic).