Wireshark-users: Re: [Wireshark-users] Dissecting RTP: false positives
From: "Anders Broman" <a.broman@xxxxxxxxx>
Date: Tue, 25 Nov 2008 07:26:13 +0100
Hi,
Your analysis is correct. I think conversations is set up indefinitely.
We would need something like a last frame indication, a conversation only
exists between frame x and y and a way to set that
when a call is terminated.
Regards
Anders

-----Ursprungligt meddelande-----
Från: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] För Thuy Nguyen
Skickat: den 25 november 2008 05:29
Till: wireshark-users@xxxxxxxxxxxxx
Ämne: [Wireshark-users] Dissecting RTP: false positives

Hi,

I am using tshark 0.99.7 to filter out RTP traffic from a tcpdump trace
file. I have discovered that 3 DNS streams had been dissected as RTP
traffic. 
I am trying to work out the reason for those false positives.

I have looked through the code, including packet-rtp.c and packet-sdp.c
files. From what I understood, my hypothesis is that:

Only SDP’s information, which consists of source IP address and source port
(media port) are used to register for a RTP conversation. This registration
will be used to dissect subsequent RTP packets.

In my case, the DNS streams had the same source IP address and source port
as a previously registered RTP session. Hence they were dissected as RTP
streams.

My questions are: Did I understand it correctly? From the SDP session
description information, how long a RTP session is registered for?

Has anyone encountered this before? Any suggestions or hints on where I
could find information to answer my questions would be much appreciated.

Thank you very much for your time.

Thuy Nguyen. 



      Start your day with Yahoo!7 and win a Sony Bravia TV. Enter now
http://au.docs.yahoo.com/homepageset/?p1=other&p2=au&p3=tagline
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users