This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

why do we make use of a tap interface for RTP statistics?

0

Hi,

What is the need/advantage of using tap interface for calculating RTP statistics? Why not simply read from a RAW socket which will give entire packet information such as FRAME info etc.,

i.e., files tap-rtp-common.c that has rtp-stream_packet. I understand that for some statistics such as jitter, we need frame time information etc., So we need entire frame data and not just UDP info.

But any advantage in using the tap interface instead of simply reading from SOCK_RAW?

Any info will be very much appreciated.

Thanks, Badri.

asked 22 Mar '13, 07:38

badrigate's gravatar image

badrigate
1111
accept rate: 0%


2 Answers:

0

Do you want to see only live traffic; how about capture files then?

How do you intent to figure out what the RTP frames are among the frames coming in from the raw socket?

answered 22 Mar '13, 09:59

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

0

But any advantage in using the tap interface instead of simply reading from SOCK_RAW?

The advantage is that you get to use Wireshark's code for dissecting RTP rather than writing your own program to read from a SOCK_RAW socket and doing whatever parsing of RTP packets you want to do; I know of no OS with an in-kernel RTP implementation such that the SOCK_RAW socket will give you anything more than just packet data.

answered 22 Mar '13, 16:24

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

hi guy,

My doubt is on wireshark's implementation. I am seeing many RTP stacks that use only udp_recv for their implementations. But wireshark uses a tap interface for calculating rtp statistics. In particular, for jitter calculation, we need frame information. so it makes sense to have entire data packet and not just udp info. But wireshark developers could have read that info from SOCK_RAW instead of using a tap interface.

Thanks, Badri.

(23 Mar '13, 01:02) badrigate

If I may say so, please read Jaap's answer again. Wireshark can dissect files as well as other sources of input.

So: that's just one reason while reading from SOCK_RAW isn't going to be relevant.

By the way: Wireshark's "tap interface" is just an internal mechanism whereby analysis portions of Wireshark can obtain access to specific type of frames.

(23 Mar '13, 09:22) Bill Meier ♦♦

I am seeing many RTP stacks that use only udp_recv for their implementations.

Wireshark does not have an "RTP stack". It's a protocol analyzer, not an RTP client or server.

In particular, for jitter calculation, we need frame information. so it makes sense to have entire data packet and not just udp info.

What do you mean by "frame information"? Do you mean the link-layer and IP header? Do you mean the frame time stamp? The frame time stamp is available to the RTP dissector and it can provide that information to a tap.

(23 Mar '13, 11:37) Guy Harris ♦♦

But wireshark developers could have read that info from SOCK_RAW

No, we could NOT have done so.

For one thing, as Jaap and Bill Meier noted, Wireshark reads files.

For another thing, when doing a live traffic capture, Wireshark uses whatever raw packet capture mechanism is in the OS. That is not necessarily a SOCK_RAW socket.

(23 Mar '13, 11:39) Guy Harris ♦♦