Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I determine if a packet is RTP/RTCP?

I am using SharpPCap which is built on WinPCap to capture UDP traffic. My end goal is to capture the audio data from H.323 and save those phone conversations as WAV files. But first thing is first - I need to figure out what my UDP packets are crossing the NIC.

SharpPCap provides a UdpPacket class that gives me access to the PayloadData of the message. But I am unsure what do with this data. It's a Byte[] array and I don't know how to go about determining if it's an RTP or RTCP packet.

I've Googled this topic but there isn't much out there. Any help is appreciated.

like image 301
Chris Holmes Avatar asked May 26 '10 19:05

Chris Holmes


People also ask

How to tell if port is RTP or RTCP?

the udp port will tell you if it is RTP or RTCP (also worth noting that RTP is usually done over even port numbers and RTCP on odd).

How to tell if communication is done over RTSP or RTP?

If communucations are done over RTSP, take a look at the udp port that is negotiated upon SETUP. the udp port will tell you if it is RTP or RTCP (also worth noting that RTP is usually done over even port numbers and RTCP on odd).

What is RTCP (real time Transport Control Protocol)?

The RTCP (Real-time Transport Control Protocol) is companion protocol of the RTP protocol (also known as sister protocol) and defined along with RTP. It is an integral part of the RTP protocol which offers the required control functionality to the RTP such as feedback, synchronization and user interface.

Can I multiplex RTP and RTCP on a single port?

1 Answer 1. Typically RTP and RTCP are using a different port. However, Duckduckgoing "RTP and RTCP on the same port" gives my Multiplexing RTP and RTCP on a Single Port, RFC5761.


2 Answers

Look at the definitions for RTP and RTCP packets in RFC 3550:

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|V=2|P|X|  CC   |M|     PT      |       sequence number         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                           timestamp                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           synchronization source (SSRC) identifier            |
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
|            contributing source (CSRC) identifiers             |
|                             ....                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I won't reproduce the legend for all of the above - it's quite long - but take a look at Section 5.1.

With that in hand you'll see there's not a lot you can do to determine if a packet contains RTP/RTCP. Best of all would be to sniff, as other posters have suggested, the media stream negotiation. Second best would be some sort've pattern matching over a sequence of packets: the first two bits will be 10, followed by the next two bits being constant, followed by bits 9 through 15 being constant, then 16 -> 31 incrementing, and so on.

like image 96
Frank Shearar Avatar answered Oct 04 '22 13:10

Frank Shearar


I would look at the packet detectors in Wireshark, which can decode most common protocols available.

like image 20
Yann Ramin Avatar answered Oct 04 '22 13:10

Yann Ramin