Wireshark-bugs: [Wireshark-bugs] [Bug 11446] RTP is decoded as RTCP

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 17 Aug 2015 16:36:06 +0000

changed bug 11446


What Removed Added
CC   [email protected]

Comment # 3 on bug 11446 from 
Hello,

> I see this behavior periodically and it's not comfortable because I can't analyze
> some RTP streams with wireshark.

"Can't" is a fairly strong assertion! ;-)  There are workarounds.

I have a few questions and a few comments.

Is this traffic captured from a lab/test environment?  In other words is the
traffic simulated or artificially restricted in such a way that one is much
more likely to see udp port number reuse than one would typically be seen "in
the wild"?

In these cases I generally start a new trace file with each new test to avoid
having to trying to deal with the complications of port reuse for "long running
traces".   One workaround is to simply split your multi-call trace file into
separate call specific traces.  

A second workaround is to use the Decode As feature.  But I assume you had no
luck simply trying to force the packets that initially decoded as "RTCP" to be
seen as RTP using Wireshark's "Decode As" feature?  Unfortunately this does not
work because of precedence logic.  But all hope if not lost.  You can disable
the RTCP protocol using the Analyze / Enabled Protocols... feature[1].  Once
RTCP is disabled, the packets initially decoded as "RTCP" will now decode as
"UDP".  At this point you CAN successfully use the "Decode As" feature to
analyze these packets as RTP.

There's also a third possible workaround for you (and perhaps the quickest). 
Simply apply Wireshark's Ignore Packet feature to the SDP packet that is
responsible for messing with Wireshark's RTP/RTCP udp port number assumptions. 
With your rtp_decoded_as_rtcp.pcap example you would want to Ignore frame #1125
(The second SDP packet from the start of the second call).  Once you ignore
frame #1125 the frames for call 1 that previously dissected as RTCP will now be
dissected as RTP.

While these workarounds may not be the ideal solutions to your particular
work-flow, they do you give you some options. 

[1]NOTE: While trying to disable the RTCP protocol using a development version
of Wireshark I stumbled into a separate Qt UI specific bug with the "Enabled
Protocols" window that I will be submit shortly.

You are receiving this mail because:
  • You are watching all bug changes.