Wireshark-users: Re: [Wireshark-users] RTP, SIP and RTCP
From: Alex Lindberg <alindber@xxxxxxxxx>
Date: Mon, 14 Dec 2009 11:36:03 -0800 (PST)
There may be another explanation.  If your SIP is using TCP port 5061 then you might be using TLS encryption for your SIP hence all of the SIP payload will be hidden by the encryption.  If this is true, then the RTP might also be encrypted as well.

Alex Lindberg
 
--- On Mon, 12/14/09, Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Subject: Re: [Wireshark-users] RTP, SIP and RTCP
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Date: Monday, December 14, 2009, 8:58 AM

Hi,

That probably means there's not SDP to work with in your SIP messages.
There's another way to get RTP/RTCP dissection going. Go to the Preferences, 
find RTP and RTCP in the Protocol list and enable the feature "Try to decode RTP 
/RTCP outside of conversation".
That will try to pick up your RTP packets anyway, but may lead to false 
positives, dissecting other packets as RTP as well.

Thanks,
Jaap

hne wrote:
> Thanks for the hint. Unfortunately it didn't work out quit that way. When I use the Decode as feature, it decodes only all packets to / from the involved ports as SIP, but thats all, the only way to have RTP packets to be decoded seems to be to do this RTP recognition for every port beeing used for RTP.
> 
> ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
> From: jaap.keuter@xxxxxxxxx
> To: haneugen@xxxxxxxx
> Date: 14:59:03, 12.12.2009
> Subject: Re: [Wireshark-users] RTP, SIP and RTCP
> ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
> 
> 
> 
>>> Hi,
>>>
>>> The trick would be to look for what you think is a SIP packet and then 
>>> use the Decode as feature. Once it sees the SIP/SDP it will find the 
>>> RTP/RTCP too.
>>>
>>> Thanks,
>>> Jaap
>>>
>>> Send from my iPhone
>>>
>>> On 12 dec 2009, at 12:16, "hne" <haneugen@xxxxxxxx> wrote:
>>>
>>>> Hi,
>>>>
>>>> I have a stream of captured RTP, SIP and RTCP packets, is there a 
>>>> way to to have wireshark to recognize them, I mean their content, 
>>>> since it is only able to display the fields of the TCP and UDP 
>>>> headers.
>>>>
>>>> Thanks in advance.
>>>>
>>>> Cheers,
>>>> hne

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe