Joe,
I suspect that sniffer is identifying the RTP packets by
looking at the session setup protocols ( MGCP/H323/SIP/Megaco )
which negotiate those RTP streams between the parties on the
network. Ethereal could do this, but currently doesn't.
Ed
On Wed, 2002-04-17 at 17:49, Joe Aiello wrote:
> I think this was misleading. Sniffer WAN files is terminology in Sniffer
> (in their save/as dialog). WAN seems to refer more to their current Windows
> version file format. They are not PPP, but Ethernet captures. Since
> Ethereal can already read the format (as identified in Ethereal as Sniffer
> Windows 2.00x), someone knows the file format.
>
> The reason we originally talked about this was that I have a custom tool
> that will extract the audio payload and create sound files from the Sniffer
> Windows format capture files. I use Ethereal to capture and filter the
> traffic and save to Sniffer DOS format. I then read this in to Sniffer and
> save as a "Sniffer WAN" .cap file. I can then use my tool to create the
> sounds files.
>
> As for RTP, they do it somehow and I have yet to have a misrepresented
> packet. Since RTP ports change all the time (Cisco uses 16K ports), I know
> there is no pre-configured port maps. I use Ethereal all the time and use
> the "decode as" often and it works perfectly (for both halves of the RTP
> conversation).
>
> Thanks for looking at it.
>
> Joe
>
>
> -----Original Message-----
> From: Guy Harris [mailto:guy@xxxxxxxxxx]
> Sent: Wednesday, April 17, 2002 2:36 PM
> To: Joe Aiello
> Cc: ethereal-dev@xxxxxxxxxxxx
> Subject: Re: [Ethereal-dev] RE: [Ethereal-users] Not seeing RTP or RTCP
> traffic on Win2K
>
> On Wed, Apr 17, 2002 at 11:44:45AM -0700, Joe Aiello wrote:
> > I noticed that Ethereal can read the Sniffer WAN.cap files and indicate
> that
> > it is a "Network Associates Sniffer (Windows-Based) 2.00x format. This is
> > displayed if you select file/save as. It seems the work to decode the
> > format is there, just not to save as.
>
> Unfortunately, it appears that Sniffer WAN (PPP) captures look like
> Ethernet captures; we'd have to implement code in Wiretap to translate
> PPP headers to Ethernet headers (including mapping protocol types - and,
> presumably, *discarding* packets for protocols that have PPP types but
> not Ethernet types) to be able to save them.
>
> I will not be doing that any time soon. My plate is already massively
> over-full with other things....
>
> > As for RTP, they must look at the UDP packets and check for the RTP
> header.
>
> Perhaps they do, but, for what it's worth, we don't. I'm not sure I see
> anything immediately obvious that would work well as a heuristic to
> detect RTP. (Are you certain the Sniffer isn't configured to treat
> either port 1062 or port 17654 as RTP ports?)
>
> So, until somebody can come up with a heuristic to detect RTP traffic
> *without* bogusly treating a bunch of non-RTP traffic as RTP, you'll
> either have to use the Sniffer, or use the "Decode As" option in
> Ethereal to force it to decode particular ports as particular protocols
> (selecting the first packet, selecting "Decode As..." from the Tools
> menu, selecting the source or destination port, selecting "RTP" from
> the list of protocols, and clicking "OK" causes it to show that traffic
> as RTP traffic).
>
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
Attachment:
signature.asc
Description: This is a digitally signed message part