This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decode RTP outside of conversations (WS 2.0)

0

I recently installed the latest version of Wireshark (version 2.0.0). I am having a difficult time decoding voice traffic. In the older version I could modify my protocol preferences for RTP using these steps.

"Decode RTP outside of conversations" enabled (in Edit->Preferences->Protocols->RTP).

In the new version this is not an option. Some forum talked about going through each packet and right clicking on it and selecting decode as. This is very cumbersome. Isn't there a way to universally set this preference?

asked 01 Dec '15, 13:13

livef7ee's gravatar image

livef7ee
6112
accept rate: 0%

edited 04 Dec '15, 01:15

Jaap's gravatar image

Jaap ♦
11.7k16101


One Answer:

1

There are two ways to get UDP packets to be dissected as RTP if Wireshark doesn't see a session set up as UDP and automatically dissect them as UDP:

  1. explicitly say "decode this port as UDP";
  2. enable the heuristic RTP-over-UDP dissector, which looks at all UDP packets to see if they look like RTP packets and, if so, dissects them as RTP.

The first of those is what is done with "Decode As".

The second of those is what used to be done with the "Decode RTP outside of conversations" and is now done with the "Enabled Protocols" dialog - enable the "RTP over UDP" dissector (which, arguably somewhat confusingly, only controls whether the heuristic dissector is enabled).

So there isn't a "Decode RTP outside of conversations" option, but there is a setting that does the same thing, it's now in the "Enabled Protocols" dialog.

(The heuristic dissector is disabled by default, because it's a very weak heuristic (a better heuristic might not be possible) and thus would identify a lot of non-RTP traffic as RTP.)

answered 01 Dec '15, 18:12

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

@Guy Harris, if I get it right, the identification of RTP streams belonging to VoIP calls whose signalling messages are present in the capture is completely independent of the "weak heuristisc" you've mentioned above, right? I'm asking because while this worked in let's say 95 % of cases in 1.12.x, it behaves much more randomly now (like e.g. the UDP flows are not identified as RTP until you display the VoIP calls ladder diagram). Has a bug been filed already or should I file one?

(02 Dec '15, 00:31) sindy

if I get it right, the identification of RTP streams belonging to VoIP calls whose signalling messages are present in the capture is completely independent of the "weak heuristisc" you've mentioned above, right?

Correct.

Has a bug been filed already or should I file one?

File one.

(02 Dec '15, 11:35) Guy Harris ♦♦

This helped me. My captures (mostly) are on interfaces only passing voice traffic. This makes it much easier to gather info. Thx.

(03 Dec '15, 09:01) livef7ee

As you've just said Guy's answer has helped you, please click the "accept" icon - nobody else but you can do it. The goal is to mark useful answers for other people coming with the same question. See FAQ for details.

(03 Dec '15, 09:53) sindy