Joe,
I suspect that sniffer is identifying the RTP packets by
looking at the session setup protocols ( MGCP/H323/SIP/Megaco )
which negotiate those RTP streams between the parties on the
network. Ethereal could do this, but currently doesn't. Ed On Wed, 2002-04-17 at 17:49, Joe Aiello wrote: > I think this was misleading. Sniffer WAN files is terminology in Sniffer > (in their save/as dialog). WAN seems to refer more to their current Windows > version file format. They are not PPP, but Ethernet captures. Since > Ethereal can already read the format (as identified in Ethereal as Sniffer > Windows 2.00x), someone knows the file format. > > The reason we originally talked about this was that I have a custom tool > that will extract the audio payload and create sound files from the Sniffer > Windows format capture files. I use Ethereal to capture and filter the > traffic and save to Sniffer DOS format. I then read this in to Sniffer and > save as a "Sniffer WAN" .cap file. I can then use my tool to create the > sounds files. > > As for RTP, they do it somehow and I have yet to have a misrepresented > packet. Since RTP ports change all the time (Cisco uses 16K ports), I know > there is no pre-configured port maps. I use Ethereal all the time and use > the "decode as" often and it works perfectly (for both halves of the RTP > conversation). > > Thanks for looking at it. > > Joe > > > -----Original Message----- > From: Guy Harris [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 17, 2002 2:36 PM > To: Joe Aiello > Cc: [EMAIL PROTECTED] > Subject: Re: [Ethereal-dev] RE: [Ethereal-users] Not seeing RTP or RTCP > traffic on Win2K > > On Wed, Apr 17, 2002 at 11:44:45AM -0700, Joe Aiello wrote: > > I noticed that Ethereal can read the Sniffer WAN.cap files and indicate > that > > it is a "Network Associates Sniffer (Windows-Based) 2.00x format. This is > > displayed if you select file/save as. It seems the work to decode the > > format is there, just not to save as. > > Unfortunately, it appears that Sniffer WAN (PPP) captures look like > Ethernet captures; we'd have to implement code in Wiretap to translate > PPP headers to Ethernet headers (including mapping protocol types - and, > presumably, *discarding* packets for protocols that have PPP types but > not Ethernet types) to be able to save them. > > I will not be doing that any time soon. My plate is already massively > over-full with other things.... > > > As for RTP, they must look at the UDP packets and check for the RTP > header. > > Perhaps they do, but, for what it's worth, we don't. I'm not sure I see > anything immediately obvious that would work well as a heuristic to > detect RTP. (Are you certain the Sniffer isn't configured to treat > either port 1062 or port 17654 as RTP ports?) > > So, until somebody can come up with a heuristic to detect RTP traffic > *without* bogusly treating a bunch of non-RTP traffic as RTP, you'll > either have to use the Sniffer, or use the "Decode As" option in > Ethereal to force it to decode particular ports as particular protocols > (selecting the first packet, selecting "Decode As..." from the Tools > menu, selecting the source or destination port, selecting "RTP" from > the list of protocols, and clicking "OK" causes it to show that traffic > as RTP traffic). > > > _______________________________________________ > Ethereal-dev mailing list > [EMAIL PROTECTED] > http://www.ethereal.com/mailman/listinfo/ethereal-dev
signature.asc
Description: This is a digitally signed message part
