Many of you would have noticed that at times when you open a packet capture containing RTP from voice calls than there are many RTP packets which are appearing as UDP, Wireshark was not able to detect the UDP payload as RTP

If you right click on any such packet and select ‘decode as’ RTP than wireshark correctly detects packets as RTP streams, however if you have like 100 undetected streams in a capture than it becomes a headache to manually do this step for every stream

The reason some streams get detected while some go undetected is because wireshark is by default setup to only detect RTP streams which were part of a ‘conversation’ i.e. a call-setup
So if you have the SIP setup messages for a call than its RTP packets will be also detected but if there were already some active calls for which you only mange to capture the RTP packets than such RTP streams won’t be detected

However, the great thing is that you can change this behavior
Go to Edit > Preferences > Protocols > RTP and select the check-box next to ‘Try to decode RTP outside of conversations’

Now, no matter what, all the RTP streams will be detected

Trackback

no comment untill now

Add your comment now