In the GUI I can use Analyze > Decode as... > RTP
Searching on google I find two "ways" of doing this:
neither of these work. When I open the p_out.pcap in wireshark it's still in UDP
What is the proper method for achieving this?
asked 15 Feb '16, 23:42
edited 16 Feb '16, 00:35
The pcap (or pcapng, or any other capture file format) does not store the
So you could use "display filter"
answered 16 Feb '16, 01:06
Back to the basics. Wireshark makes interpretations based on its knowledge on how network frames are composed. Therefore we start at the bottom.
For most common network frames the datalinktype is Ethernet. Therefore the (generic) frame dissector hands the received frame (read form the pcap file) to the ethernet dissector. This reads the beginning of the frame and decides it contains an IP packet, and hands the remainder to the IP dissector. The IP dissector decides it contains an UDP payload, and hands the remainder to the UDP dissector.
The UDP dissector now has a problem. The port number in the dissector doesn't uniformly identify the payload type, so it has to try to find out where to hand the payload another way. Sometimes there are other protocols in the capture which tell something (think SIP/SDP for example), sometimes the payload itself has a 'magic' value to identify the payload type.
For RTP there is very little to go on, unless an external signalling protocol identifies gives you the port numbers, the payload doesn't give you much to go on. That's where the option 'decode as' and rtp_udp preference come into play. These allow the operator to force interpretation of the UDP payload as RTP, because of the high probability of false positive identification of random UDP payload as RTP.
So, the capture file just contains network frames, it's the interpretation Wireshark makes of them that shows RTP.
answered 16 Feb '16, 12:44