Wireshark-users: Re: [Wireshark-users] [Wireshark-dev] RTCP Frame length check: Wrong

From: "Anders Broman" <a.broman@xxxxxxxxx>
Date: Tue, 14 Apr 2009 08:01:03 +0200
Thanks Jaap,
That gives me a reference to use.
Regards
Anders

-----Ursprungligt meddelande-----
Från: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] För Jaap Keuter
Skickat: den 14 april 2009 07:39
Till: Community support list for Wireshark
Ämne: Re: [Wireshark-users] [Wireshark-dev] RTCP Frame length check: Wrong

Hi,

That's:

Network Working Group                                            D. Wing
Request for Comments:  4961                                Cisco Systems
BCP:  131                                                      July 2007
Category:  Best Current Practice


               Symmetric RTP / RTP Control Protocol (RTCP)

Thanx,
Jaap


Anders Broman wrote:
> Most applications tend to use the signalled RTP port pair
> As SRC and DST.
> 
> A -- SDP port Y--> B
>   <--- SDP port-- X
> 
> -- RTP SRC Y DST X -->
> <-- RTP SRC X DST Y
> 
> Some Firewalls assumes this and will block traffic not following this
> "rule". I haven't found any RFC to support the above behaviour but in 
> Practice almost every one seems to follow it and it seems like a good idea
> to design your application that way as there may be interworking problems
> otherwise.
> Regards
> Anders
> 
> 
> -----Ursprungligt meddelande-----
> Från: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] För Guy Harris
> Skickat: den 14 april 2009 00:41
> Till: Community support list for Wireshark
> Kopia: shivani matta
> Ämne: Re: [Wireshark-users] [Wireshark-dev] RTCP Frame length check: Wrong
> 
> 
> On Apr 10, 2009, at 9:17 PM, Guy Harris wrote:
> 
>> On Apr 10, 2009, at 11:56 AM, Guy Harris wrote:
>>
>>> Packet 63 in the capture you sent, which only dissect as RTCP in my
>>> version of Wireshark if you explicitly use "Decode As" - even the
>>> heuristics aren't recognizing it as RTCP.
>> I'll see whether the heuristics can be changed.
> 
> They were checking both the source and destination port, for both RTP  
> (checking for even ports) and RTCP (checking for odd ports).  RFC 3550  
> says, in section 11 "RTP over Network and Transport Protocols":
> 
>     RTP relies on the underlying protocol(s) to provide demultiplexing  
> of
>     RTP data and RTCP control streams.  For UDP and similar protocols,
>     RTP SHOULD use an even destination port number and the corresponding
>     RTCP stream SHOULD use the next higher (odd) destination port  
> number.
>     For applications that take a single port number as a parameter and
>     derive the RTP and RTCP port pair from that number, if an odd number
>     is supplied then the application SHOULD replace that number with the
>     next lower (even) number to use as the base of the port pair.  For
>     applications in which the RTP and RTCP destination port numbers are
>     specified via explicit, separate parameters (using a signaling
>     protocol or other means), the application MAY disregard the
>     restrictions that the port numbers be even/odd and consecutive
>     although the use of an even/odd port pair is still encouraged.  The
>     RTP and RTCP port numbers MUST NOT be the same since RTP relies on
>     the port numbers to demultiplex the RTP data and RTCP control
>     streams.
> 
> That says nothing about the source port; I've removed the source port  
> checks from the RTP and RTCP heuristic dissectors.  We'll see whether  
> that results in any packets being misidentified as RTP or RTCP.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
 
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe