Wireshark · Wireshark-users: [Wireshark-users] Problem playing RTP+AMR decoded call

Wireshark-users: [Wireshark-users] Problem playing RTP+AMR decoded call

From: Rayed Alrashed <rayed@xxxxxxxxx>

Date: Fri, 4 Dec 2015 16:42:38 +0300

Hello,

I am trying to decode an RTP call from a pcap file from wireshark sample captures https://wiki.wireshark.org/SampleCaptures, mainly "Mobile Terminating Call(AMR).pcap".

When I extracted the RTP payload it didn't match any AMR encoding that I saw in another files, that matched the RFC 4867, and when I tried to inspect the payload using this tshark dump I noticed a pattern of incrementing numbers on the first byte that I couldn't understand, and didn't fit any RFC or specification I came a cross.

$ tshark -nr wireshark_mtc.pcap -Y udp.srcport==40002 -T fields -e rtp.payload -d "udp.port==40002,rtp" | cut -c 1-30
e0:00:dd:06:16:00:51:67:3c:01:
00:00:00:96:91:17:16:be:66:79:
01:00:e1:1c:48:77:24:96:66:79:
02:00:7d:27:55:00:88:b6:66:79:
03:00:9d:0a:48:f9:1f:96:66:79:
04:00:fa:5e:54:fd:1f:b6:66:79:
05:00:18:c7:48:f5:1f:96:66:79:
06:00:86:5e:54:fd:1f:b6:66:79:
07:08:0d:98:00:00:00:00:0c
08:08:25:a9:00:00:00:00:1c
09:08:c5:a9:00:00:00:00:1c
0a:08:59:a9:00:00:00:00:1c
0b:08:b9:a9:00:00:00:00:1c
0c:08:dd:a9:00:00:00:00:1c
0d:08:3d:a9:00:00:00:00:1c
0e:08:a1:a9:00:00:00:00:1c
0f:08:41:a9:00:00:00:00:1c

Any idea on what kind of format would start with this pattern?

Thanks,

Rayed

Follow-Ups:
- Re: [Wireshark-users] Problem playing RTP+AMR decoded call
  - From: Rayed Alrashed

Prev by Date: [Wireshark-users] [HITB-Announce] HITB2016AMS Call for Papers
Next by Date: [Wireshark-users] Display Filter troubleshooting
Previous by thread: [Wireshark-users] [HITB-Announce] HITB2016AMS Call for Papers
Next by thread: Re: [Wireshark-users] Problem playing RTP+AMR decoded call
Index(es):
- Date
- Thread