Wireshark · Ethereal-dev: RE: [Ethereal-dev] RE: [Ethereal-users] Not seeing RTP or RTCP tr affic on Win2K

Ethereal-dev: RE: [Ethereal-dev] RE: [Ethereal-users] Not seeing RTP or RTCP tr affic on Win2K

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Joe Aiello" <Joe.Aiello@xxxxxxxxxxxx>

Date: Thu, 18 Apr 2002 08:06:37 -0700

That might be in their bag of tricks, but they use some other method too.
In the example I originally sent, I used Ethereal to filter everything but
100 RTP packets.  Sniffer Basic (Version 3.05 for Windows) loaded the file
and displayed all packets as RTP.

I am not suggesting that Ethereal should do anything different than it does
today.  Using the decode as option works great for RTP, RTCP and many other
protocols..  I was hoping that the future might have Ethereal able to save
as the Sniffer Windows 2.xx .cap format.

Thanks for your reply,

Joe


-----Original Message-----
From: Ed Warnicke [mailto:hagbard@xxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, April 17, 2002 3:14 PM
To: Joe Aiello
Cc: Guy Harris; ethereal-dev@xxxxxxxxxxxx
Subject: RE: [Ethereal-dev] RE: [Ethereal-users] Not seeing RTP or RTCP tr
affic on Win2K

Joe,
        I suspect that sniffer is identifying the RTP packets by
looking at the session setup protocols ( MGCP/H323/SIP/Megaco )
which negotiate those RTP streams between the parties on the
network.  Ethereal could do this, but currently doesn't. 

Ed
On Wed, 2002-04-17 at 17:49, Joe Aiello wrote:
> I think this was misleading.  Sniffer WAN files is terminology in Sniffer
> (in their save/as dialog).  WAN seems to refer more to their current
Windows
> version file format.  They are not PPP, but Ethernet captures.  Since
> Ethereal can already read the format (as identified in Ethereal as Sniffer
> Windows 2.00x), someone knows the file format.
>
> The reason we originally talked about this was that I have a custom tool
> that will extract the audio payload and create sound files from the
Sniffer
> Windows format capture files.  I use Ethereal to capture and filter the
> traffic and save to Sniffer DOS format.  I then read this in to Sniffer
and
> save as a "Sniffer WAN"  .cap file.  I can then use my tool to create the
> sounds files. 
>
> As for RTP, they do it somehow and I have yet to have a misrepresented
> packet.  Since RTP ports change all the time (Cisco uses 16K ports), I
know
> there is no pre-configured port maps. I use Ethereal all the time and use
> the "decode as" often and it works perfectly (for both halves of the RTP
> conversation).
>
> Thanks for looking at it.
>
> Joe
>
>
> -----Original Message-----
> From: Guy Harris [mailto:guy@xxxxxxxxxx]
> Sent: Wednesday, April 17, 2002 2:36 PM
> To: Joe Aiello
> Cc: ethereal-dev@xxxxxxxxxxxx
> Subject: Re: [Ethereal-dev] RE: [Ethereal-users] Not seeing RTP or RTCP
> traffic on Win2K
>
> On Wed, Apr 17, 2002 at 11:44:45AM -0700, Joe Aiello wrote:
> > I noticed that Ethereal can read the Sniffer WAN.cap files and indicate
> that
> > it is a "Network Associates Sniffer (Windows-Based) 2.00x format.  This
is
> > displayed if you select file/save as.  It seems the work to decode the
> > format is there, just not to save as.
>
> Unfortunately, it appears that Sniffer WAN (PPP) captures look like
> Ethernet captures; we'd have to implement code in Wiretap to translate
> PPP headers to Ethernet headers (including mapping protocol types - and,
> presumably, *discarding* packets for protocols that have PPP types but
> not Ethernet types) to be able to save them.
>
> I will not be doing that any time soon.  My plate is already massively
> over-full with other things....
>
> > As for RTP, they must look at the UDP packets and check for the RTP
> header.
>
> Perhaps they do, but, for what it's worth, we don't.  I'm not sure I see
> anything immediately obvious that would work well as a heuristic to
> detect RTP.  (Are you certain the Sniffer isn't configured to treat
> either port 1062 or port 17654 as RTP ports?)
>
> So, until somebody can come up with a heuristic to detect RTP traffic
> *without* bogusly treating a bunch of non-RTP traffic as RTP, you'll
> either have to use the Sniffer, or use the "Decode As" option in
> Ethereal to force it to decode particular ports as particular protocols
> (selecting the first packet, selecting "Decode As..." from the Tools
> menu, selecting the source or destination port, selecting "RTP" from
> the list of protocols, and clicking "OK" causes it to show that traffic
> as RTP traffic).
>
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev

Prev by Date: [Ethereal-dev] weird colorization desegmentation interaction
Next by Date: RE: [Ethereal-dev] RE: [Ethereal-users] Not seeing RTP or RTCP tr affic on Win2K
Previous by thread: Re: [Ethereal-dev] RE: [Ethereal-users] Not seeing RTP or RTCP tr affic on Win2K
Next by thread: RE: [Ethereal-dev] RE: [Ethereal-users] Not seeing RTP or RTCP tr affic on Win2K
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$