This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dissector for rtp payload independent from port

0

Hey guys, I wanna dissect data from rtp body.

I tried this first with adding my defined protocol to the UDP table like that:

function myProto.dissector(buffer, pinfo, tree)
  -- some code here for dissection
end
local udp_dissector_table = DissectorTable.get("udp.port")
udp_dissector_table:add(5010, myProto)

The dissection works fine but unfortunately just for the specified Port 5010. The dissection of the bytes inside of the function myProto.dissector(buffer, pinfo, tree) starts with the beginning ot the udp packet. So buffer() has now the length of the whole RTP content (including header). The problem is now that the RTP can be in UDP packets with differnt ports.

I tried another way which seems to be the better one because in this case it is independent from the UDP port. I registered a postdissector for checking againnst each packet:

function myProto.dissector(buffer, pinfo, tree)
  -- some code here for dissection
end

register_postdissector(myProto)

Now the buffer has the lnegth of the whole frame (ethernet header + ip header + udp header + rtp header + rtp content). So for each of my fields I have to add the offset length of e.g. 42 Bytes (14 + 20 + 8). My problem is now that ethernet frame as well as the ip packets having not everytime a static lnegth.

Is there a way to check if the buffer contains a rtp packet and to check the header length of ethernet / IP? Or is there mybe a way to use my first option but without any fixed port?

Thanks in advance.

Best regards, Danny

asked 13 Mar ‘17, 23:19

Danny%20Koppenhagen's gravatar image

Danny Koppen…
11114
accept rate: 0%

edited 13 Mar ‘17, 23:35


One Answer:

0

You should look into registering for rtp.pt or rtp_dyn_payload_type. Have a look into the RTP dissector (epan/dissectors/packet-rtp.c) what that brings you.

answered 14 Mar '17, 09:50

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thank you, this info helps me a lot. I found a solution which looks basically like this: https://github.com/FOXNEOAdvancedTechnology/RFC4175-dissector/blob/master/RFC-4175.lua

Best regards, Danny

(15 Mar '17, 05:16) Danny Koppen...