Hi, Dissection of UDP packets are based on Port number, heuristics or conversation.
First it is checked if I conversation is set up for the packet with a predetermined dissector. If the control signalling for this RTP session was in the trace and seting up conversation is implemented for the Control protocol ( SIP, H323 RTSP ) the UDP packets would have been dissected as RTP. Secondly ( if preferences isnt set differently) the packet is dissected by the dissector registered for one of the ports used The WCCP port is 2048 so if that port is used for your RTP session thats why it gets dissected as WCCP. As a third option dissectors registered as heuristics is tried meaning that a portion of the packet is checked to see If it could be the protocol in question. Preferences can be set in RTP to try heuristics but as there is no good Way to determine if its an RTP packet or not it may pick up more UDP packets than wanted. BR Anders ________________________________________ Från: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] För Chet Seligman Skickat: den 5 januari 2007 04:04 Till: [email protected] Ämne: [Wireshark-users] RTP decoded as WCCP (malformed packet) When I tell WS to decode as RTP it does so correctly, displaying 214byte normal G.711 packets. These can be turned into understandable audio. Can anyone explain why the original protocol decode is WCCP with a very large packet length listed? _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
