["Guy Harris" <gharris@xxxxxxxxx>]

Andrena Lefdahl wrote:

> 1.How in the world do you find out all the ports that RTP will be using?

It depends on the software/firmware that's using RTP; you'd probably have
to know in detail how that software works, and even then it might not be
possible.

The *ONLY* alternative would, for RTP over UDP, be to look at the packet
data with a filter.  That'd *probably* capture RTP packets, but there's no
guarantee that it'd capture only RTP packets or capture all RTP packets.

I think the filter for this would be

    udp[8:1] == 2 and (udp[8:2] & 0x7F) <= 34

which matches the heuristic Ethereal uses for detecting RTP packets.

If the packet uses a payload type > 34 (which I think includes dynamic
payload types), there's no filter that'll do the job - any attempt to
define a filter to capture that traffic without knowing the payload type
or port number is doomed.

> 2. I still would like an example of what the syntax would be (setting up
> the capture filter) for both SIP and RTP traffic. Just pretend we know
> what ports RTP are on.

    port 5060 or udp port N or udp port M or ...

where N, M, etc. are the RTP ports.  For the heuristic filter, it'd be

    port 5060 or (udp[8:1] == 2 and (udp[8:2] & 0x7F) <= 34)