On Wed, Apr 17, 2002 at 11:44:45AM -0700, Joe Aiello wrote:
> I noticed that Ethereal can read the Sniffer WAN.cap files and indicate that
> it is a "Network Associates Sniffer (Windows-Based) 2.00x format. This is
> displayed if you select file/save as. It seems the work to decode the
> format is there, just not to save as.
Unfortunately, it appears that Sniffer WAN (PPP) captures look like
Ethernet captures; we'd have to implement code in Wiretap to translate
PPP headers to Ethernet headers (including mapping protocol types - and,
presumably, *discarding* packets for protocols that have PPP types but
not Ethernet types) to be able to save them.
I will not be doing that any time soon. My plate is already massively
over-full with other things....
> As for RTP, they must look at the UDP packets and check for the RTP header.
Perhaps they do, but, for what it's worth, we don't. I'm not sure I see
anything immediately obvious that would work well as a heuristic to
detect RTP. (Are you certain the Sniffer isn't configured to treat
either port 1062 or port 17654 as RTP ports?)
So, until somebody can come up with a heuristic to detect RTP traffic
*without* bogusly treating a bunch of non-RTP traffic as RTP, you'll
either have to use the Sniffer, or use the "Decode As" option in
Ethereal to force it to decode particular ports as particular protocols
(selecting the first packet, selecting "Decode As..." from the Tools
menu, selecting the source or destination port, selecting "RTP" from
the list of protocols, and clicking "OK" causes it to show that traffic
as RTP traffic).