CODEWITHSUNDEEP
c++clinuxlibpcap
user1027524
user1027524

Reputation: 151

How separate RTP packets from the rest

I got a pcap file with voip conversation, how i can separate RTP packets from the other packets?

I can obtain sip packets, but I can't differenciate the RTP packets from the rest.

Upvotes: 4

Views: 3505

Answers (4)

Gianluca Costa
Gianluca Costa

Reputation: 486

An open source software that extract the RTP/RTCP packets from a pcap file are:

From the source code you can view and understand the methodologies used.

I can obtain sip packets, but I can't differenciate the RTP packets from the rest.

If you are able to decode the SIP, then you can find (inside INVITE message) the SDP message. If you decode it you can find the IP and PORT of RTP "stream" (and RTCP => port + 1). With these informations you can identify uniquely the RTP and RTCP packets. Keep in mind that there are often packages (with the same IP-PORT) with the STUN protocol which must be separate from RTP. You have to consider where is the packet capture (network context and constraints), you may take into account NAT.

Upvotes: 0

Andriy Tylychko
Andriy Tylychko

Reputation: 16256

Check @macs recommendation about PCap filter. If this cannot satisfy your needs (e.g. you need to filter out RTP packets of specific SIP session) there's no simple way. You need to parse SIP messages, retrieve RTP port numbers, takes packets going to/from these ports in particular time period and (optionally) check if these packets are RTP by checking their headers (magic number in headers)

Upvotes: 1

Fred Laughton
Fred Laughton

Reputation: 31

If you want to see the RTP traffic in wireshark then:

  1. Select Analyze->Display Filters...
  2. Select "UDP", OK
  3. Right click on any UDP packet and select "Decode as..."
  4. Select "RTP" from the list, OK
  5. Now you can see all RTP packets.

Hope that helps. :)

p.s. edited to note that this is for Wireshark. Thanks to a commentor for pointing that out!

Upvotes: 2

Sebastian
Sebastian

Reputation: 8154

Search for RTP headers as defined in RFC3550 within your file. Or better use pcap-filter, for instance with this wiki (look for "Q: What is a good filter for just capturing SIP and RTP packets?").

Upvotes: 1

Related Questions