Hi,
I am using tshark 0.99.7 to filter out RTP traffic from a tcpdump trace file. I have discovered that 3 DNS streams had been dissected as RTP traffic.
I am trying to work out the reason for those false positives.
I have looked through the code, including packet-rtp.c and packet-sdp.c files. From what I understood, my hypothesis is that:
Only SDP’s information, which consists of source IP address and source port (media port) are used to register for a RTP conversation. This registration will be used to dissect subsequent RTP packets.
In my case, the DNS streams had the same source IP address and source port as a previously registered RTP session. Hence they were dissected as RTP streams.
My questions are: Did I understand it correctly? From the SDP session description information, how long a RTP session is registered for?
Has anyone encountered this before? Any suggestions or hints on where I could find information to answer my questions would be much appreciated.
Thank you very much for your time.
Thuy Nguyen.
Start your day with Yahoo!7 and win a Sony Bravia TV. Enter now http://au.docs.yahoo.com/homepageset/?p1=other&p2=au&p3=tagline