Wireshark-users: Re: [Wireshark-users] Problem playing RTP+AMR decoded call

From: Hal Wigoda <hal.wigoda@xxxxxxxxx>
Date: Wed, 9 Dec 2015 10:04:18 -0600
I think this is hex.

On Wed, Dec 9, 2015 at 4:51 AM, Rayed Alrashed <rayed@xxxxxxxxx> wrote:
I found it! It is using IuUP, for more info check "ETSI TS 125 415"

On Fri, Dec 4, 2015 at 4:42 PM, Rayed Alrashed <rayed@xxxxxxxxx> wrote:
Hello,

I am trying to decode an RTP call from a pcap file from wireshark sample captures https://wiki.wireshark.org/SampleCaptures, mainly "Mobile Terminating Call(AMR).pcap".

When I extracted the RTP payload it didn't match any AMR encoding that I saw in another files, that matched the RFC 4867, and when I tried to inspect the payload using this tshark dump I noticed a pattern of incrementing numbers on the first byte that I couldn't understand, and didn't fit any RFC or specification I came a cross.

$ tshark -nr wireshark_mtc.pcap -Y udp.srcport==40002 -T fields -e rtp.payload -d "udp.port==40002,rtp" | cut -c 1-30
e0:00:dd:06:16:00:51:67:3c:01:
00:00:00:96:91:17:16:be:66:79:
01:00:e1:1c:48:77:24:96:66:79:
02:00:7d:27:55:00:88:b6:66:79:
03:00:9d:0a:48:f9:1f:96:66:79:
04:00:fa:5e:54:fd:1f:b6:66:79:
05:00:18:c7:48:f5:1f:96:66:79:
06:00:86:5e:54:fd:1f:b6:66:79:
07:08:0d:98:00:00:00:00:0c
08:08:25:a9:00:00:00:00:1c
09:08:c5:a9:00:00:00:00:1c
0a:08:59:a9:00:00:00:00:1c
0b:08:b9:a9:00:00:00:00:1c
0c:08:dd:a9:00:00:00:00:1c
0d:08:3d:a9:00:00:00:00:1c
0e:08:a1:a9:00:00:00:00:1c
0f:08:41:a9:00:00:00:00:1c

Any idea on what kind of format would start with this pattern?


Thanks,
Rayed


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



--
-----------------
Hal Wigoda
Chicago