Ethereal-users: Re: [Ethereal-users] How do I decode RTP ?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 28 Aug 2003 12:14:34 -0700

On Thursday, August 28, 2003, at 11:50 AM, Chet Seligman wrote:


Every RTP packet should have a payload type that lists the codec used.


Yes, that's what I said:


There's the "V" field, although that's only 2 bits, so other packets
might well have binary 10 in those two bits, and there's the "PT"
field, for which we could require that it be a *known* payload type.
Perhaps checking for "V" being 2, and the payload type being one of the values in the "rtp_payload_type_vals[]" table, would be a sufficiently-strong heuristic, accepting few, if any, non-RTP packets. (It means that we wouldn't recognize packets with a payload type we don't yet know about, but that's life.)
After I guessed which ports were used by RTP, I examined the decodes and saw the G.729 payload - that's how I knew I was correct. What I didn't know was 
whether I got all the packets. Not getting all packet makes jitter
measurements not terribly meaningful.
There's not much Ethereal can do about that, other than recognizing sequence number gaps.
You speak of a "look-ahead" - could that be where the payload type is used?
"Could" in what sense? It's not where we use it, as we don't have any heuristics, much less ones involving look-ahead. I don't know whether any of the dissectors that recognize RTP and RTCP without human help *AND* without seeing session setup packets (which, for at least some protocols, Ethereal dissects *and* uses to identify subsequent packets as RTP) use look-ahead or not.
The payload type could be used without look-ahead if you just check for a known value. It could also be used *if* look-ahead were done, by checking to make sure it's the same in the later packets. Note, however, that using the sequence number in a look-ahead scheme would require a "window" so that we don't get confused by lost packets, i.e. look for the N+1'st packet in that UDP stream having a sequence number no more than W greater than the Nth packet.
However, as far as I know, doing a look-ahead scheme would be very difficult, perhaps impossible; I don't plan to spend any time looking into it (I don't have the time to do so).
BTW: Agilent Advisor and Radcom can identify RTP & RTCP without human help - 
I don't know how they do it.
I'm aware that several analyzers do it. That doesn't mean it's necessarily easy to figure out a good way to do it - maybe they do something simple that's easy to figure out, maybe they do something simple that was *hard* to figure out but easy to implement, and maybe they do something that's hard to implement.