This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

RTP packets correlation with telephone number

0

I've captured all the packets from the server for 5 minutes. In this time there where 3 calls made from the same client to the same supplier. When I filter the RTP packets in wireshark I do not know which RTP packets are for the 2nd call. Can you give me any hints on how to associate the RTP packets ( audio ) with the call / telephone number ? I do not know which audio is for which number...

asked 15 Jun '16, 05:50

Eduard%20Petru's gravatar image

Eduard Petru
1111
accept rate: 0%

edited 15 Jun '16, 07:28

sindy's gravatar image

sindy
6.0k4851

One Answer:

1

Normally Wireshark assigns RTP streams to signalling (or, to be precise, control in case of MGCP and Megaco) exchanges automatically, as it identifies RTP by the contents of SDPs exchanged between parties in the signalling. So if you use Telephony -> VoIP Calls, you'll get a list of VoIP calls found in the capture, and if you select one or more of the items in the list and press the Flow Sequence button, you'll see the signalling/control protocol's messages as well as RTP streams as arrows in the ladder graph, labelled with important fields of the call control messages (like calling and called numbers) and with UDP/TCP port numbers, which allows you to identify the RTP streams.

If you select a single call, you can use the > Play Streams button to replay the audio of that call directly from the list.

Is this an answer to your question or you've tried this and some part of it does not work?

answered 15 Jun '16, 06:24

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Thank you so much, I have managed somehow to correlate the port session and filter the RBT. I've also noticed there is a problem when streaming codecs G729. Thank you again.

(15 Jun '16, 23:48) Eduard Petru

See the wiki page here for info about G729.

(16 Jun '16, 12:57) grahamb ♦