Wireshark-users: [Wireshark-users] RTP dissector in Lua not chained with SDP setup info present a

From: Jonathan Poff <jonathan.poff@xxxxxxxxxxxxx>
Date: Mon, 28 Jan 2013 09:53:29 +1300

Hi, I'm pretty much a Wireshark noob, but..

I'm trying to analyze some RTP streams, some of which are set up by SIP (with some additional features).

I'm writing packet dissectors in Lua, but there are a couple of problems.  As far as I can tell, if I use a chained dissector and add it to the udp dissector table where udp.port == [port of interest] then the dissector works fine EXCEPT where the builtin Wireshark RTP dissector has added a 'Stream setup by SDP' subtree.  I'm not sure how Wireshark determines which packets are RTP other than as part of a SIP conversation, but I haven't had any luck attaching a dissector to these packets.

The most reliable way is to disable the RTP protocol and dissect the RTP headers myself, but then I lose the stream setup by info that Wireshark provides.  I can probably do this myself with Lua but it seems like a lot of extra work, given my level of expertise..  I would prefer to take advantage of all of Wiresharks built in RTP dissectors and just add my stuff at the end.

Which leads me to my second problem.  A post dissector actually works fine, is easy to write and accomplishes EVERYTHING I need, EXCEPT for the fact that the post dissector tree IS NOT WRITTEN to an exported .PDML file.  This is a blocking issue for me as I'm doing further analysis with this file.

I'd be very grateful for any pointers on what is causing the SDP setup info dissector to disable my dissector and how to make it work.  Failing that, is exporting of post dissector info to .pdml problematic, or is this just an omission that could be fixed in the source?  (I'm not keen to build Wireshark myself as I'm using windoze, but maybe if this is an easy fix, somebody could submit a patch?).

Cheers,

--
Jonathan Poff
Senior Design Engineer
Tait Communications
DDI: +64 3 3579816
Email: jonathan.poff@xxxxxxxxxxxxx


www.taitradio.com


This email, including any attachments, is only for the intended recipient. It is subject to copyright, is confidential and may be the subject of legal or other privilege, none of which is waived or lost by reason of this transmission.
If you are not an intended recipient, you may not use, disseminate, distribute or reproduce such email, any attachments, or any part thereof. If you have received a message in error, please notify the sender immediately and erase all copies of the message and any attachments.
Unfortunately, we cannot warrant that the email has not been altered or corrupted during transmission nor can we guarantee that any email or any attachments are free from computer viruses or other conditions which may damage or interfere with recipient data, hardware or software. The recipient relies upon its own procedures and assumes all risk of use and of opening any attachments.