I'd like to capture RTCP packets sent and received to and from specific ports. I have setup this simple filter : that allows me to capture almost exactly what I want. The problem is that at the same ports there's also STUN traffic. So, if I select "decode as" RTCP, the STUN traffic gets decoded as RTCP as well. That yields invalid RTCP packets of course. Is there a way to filter out the STUN traffic? asked 17 Jun '14, 01:13  gpo edited 17 Jun '14, 04:13 |
One Answer:
Go into Wireshark preferences, and under the RTP and RTCP protocols, check "Try to decode outside conversation". This should then show your specific RTP and RTCP traffic and leave out the STUN prtotocol. answered 17 Jun '14, 03:24  Rooster_50 showing 5 of 12 show 7 more comments |
I should have mentioned that I've already tried that but it didn't work :(
Do you have a sample trace you can share via dropbox or cloudshark.org?
https://www.cloudshark.org/captures/e9ea04c86250
Does this feature generally work? Should I file a bug report maybe?
Does this same issue happen if you do not capture using the "ANY" device, so that you get a true Ethernet header, instead of the Linux Cooked packet header?
Also, if you look at the values of the RTP header after you decode as RTCP, they are all over the place.
I'll try that tomorrow.
What do you mean by saying that they're all over the place?
I just tried that and the problem persists.
Those are actually SRTCP packets. Here it says that SRT(C)P handling was recently added to both dissectors.
UPDATE: It seems there was a patch developed back in 2007 and it appears that it is included in the latest wireshark (I checked the source code) but I don't see how to activate. Is it really included and if so how do I use it?
In order for it to work the media session protocols have to setup a crypto session (which they do not) and decryption has to be implemented (like through the use of libsrtp, which is not there). All the RT(C)P dissectors can do now is keep their hands off of encrypted data and tell you about that.
I kind of need this functionality, so I'm considering implementing it; but I have no clue as to where to start from.
Would you happen to know if there's anything similar currently implemented to get inspired from? Do you think this is possible in Lua? Or do I have to modify packet-rtcp.c and friends to get it to work?
First you need to know how to get your hands on the crypto parameters. Then these have to be added to the cipher information structure passed to the RT(C)P dissectors for use there with libSRTP for instance. packet-sdp.c has a skeleton implementation for this. All this can only be done in the existing dissectors, and I assume quite a bit of work to do it right.
OK, I'll try to get my hands dirty. Thank you very much for all the information you gave me Jaap. Thank you, too, Rooster_50. You guys rock :-)