This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do you capture RTP packets?

1

I'm trying to capture RTP streams. When I use rtp as a packet filter Wireshark says "Invalid capture filter: "rtp"!" What port does RTP use?

asked 08 Sep '10, 09:39

Gerald%20Combs's gravatar image

Gerald Combs ♦♦
3.3k92258
accept rate: 24%

edited 08 Sep '10, 11:47

3 Answers:

4

RTP port numbers are usually dynamically assigned. You can use something like this to get close enough in most cases:

udp[1] & 1 != 1 && udp[3] & 1 != 1 && udp[8] & 0x80 == 0x80 && length < 250

It does the following:

  • udp[1] & 1 != 1 && udp[3] & 1 != 1 - even source and destination UDP ports
  • udp[8] & 0x80 == 0x80 - a valid RTP version
  • length < 250 - look for small packets.

This will capture any non-RTP traffic that happens to match the filter (such as DNS) but it will capture all RTP packets in many environments.

answered 12 Sep '10, 19:23

Test%20User%201's gravatar image

Test User 1
14134
accept rate: 40%

edited 12 Sep '10, 19:41

Gerald%20Combs's gravatar image

Gerald Combs ♦♦
3.3k92258

1

This likely (hopefully) causes RTP session establishment signaling to be filtered out, so make sure to set 'Try to decode RTP outside of conversations' in the RTP dissector preferences. Otherwise you'll only see UDP packets.

answered 14 Sep '10, 03:49

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

1

It could even be

udp[8] & 0xC0 == 0x80

to check for a valid RTP version (2).

The length could be tuned even further, starting at 225 for untagged 20 ms G.711 audio @ 8kbps, adding 80 bytes per 10 ms extra. Other features (SRTP, RTP extensions) and other codecs (G722, G729, etc) require other sizes.

answered 14 Sep '10, 04:47

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%