How separate RTP packets from the rest

Question

I got a pcap file with voip conversation, how i can separate RTP packets from the other packets?

I can obtain sip packets, but I can't differenciate the RTP packets from the rest.

score 1 · Accepted Answer · answered Dec 12 '11 at 13:08

1

Search for RTP headers as defined in RFC3550 within your file. Or better use pcap-filter, for instance with this wiki (look for "Q: What is a good filter for just capturing SIP and RTP packets?").

answered Dec 12 '11 at 13:08

Sebastian

8,046
2
34
58

+1 for filter and -1 for checking RTP header (it's unrealible and was designed for different purposes), so = 0 :) – Andriy Tylychko Dec 12 '11 at 14:58
3

However, that RTP filter does filter against the RTP header. If you want this reliable, you'll have to parse SIP, or whatever call control protocol is in use, extract the RTP information - SDP inside SIP will communicate the addresses and ports used for RTP, and go look for packets matching those values during the call (meaning you'll need a rudimentary call state machine for tracking the call as well) – nos Dec 12 '11 at 15:38

Fred Laughton · Answer 2 · 2011-12-12T14:04:03.823

1

If you want to see the RTP traffic in wireshark then:

Select Analyze->Display Filters...
Select "UDP", OK
Right click on any UDP packet and select "Decode as..."
Select "RTP" from the list, OK
Now you can see all RTP packets.

Hope that helps. :)

p.s. edited to note that this is for Wireshark. Thanks to a commentor for pointing that out!

edited Dec 12 '11 at 14:04

answered Dec 12 '11 at 13:41

Fred Laughton

21
2

You seem to give instruction to a specific application, when the question does not mention any application at all. – Jacek Konieczny Dec 12 '11 at 13:55
Thanks for pointing that out. Edited to make sure this is clear. – Fred Laughton Dec 12 '11 at 14:04

score 1 · Answer 3 · answered Dec 12 '11 at 15:01

Check @macs recommendation about PCap filter. If this cannot satisfy your needs (e.g. you need to filter out RTP packets of specific SIP session) there's no simple way. You need to parse SIP messages, retrieve RTP port numbers, takes packets going to/from these ports in particular time period and (optionally) check if these packets are RTP by checking their headers (magic number in headers)

score 0 · Answer 4 · answered Jan 18 '12 at 10:32

An open source software that extract the RTP/RTCP packets from a pcap file are:

rtpbreak: http://dallachiesa.com/code/rtpbreak/doc/rtpbreak_en.html
xplico: http://www.xplico.org

From the source code you can view and understand the methodologies used.

I can obtain sip packets, but I can't differenciate the RTP packets from the rest.

If you are able to decode the SIP, then you can find (inside INVITE message) the SDP message. If you decode it you can find the IP and PORT of RTP "stream" (and RTCP => port + 1). With these informations you can identify uniquely the RTP and RTCP packets. Keep in mind that there are often packages (with the same IP-PORT) with the STUN protocol which must be separate from RTP. You have to consider where is the packet capture (network context and constraints), you may take into account NAT.

How separate RTP packets from the rest

4 Answers4