I am using SharpPCap which is built on WinPCap to capture UDP traffic. My end goal is to capture the audio data from H.323 and save those phone conversations as WAV files. But first thing is first - I need to figure out what my UDP packets are crossing the NIC.
SharpPCap provides a UdpPacket class that gives me access to the PayloadData of the message. But I am unsure what do with this data. It's a Byte[] array and I don't know how to go about determining if it's an RTP or RTCP packet.
I've Googled this topic but there isn't much out there. Any help is appreciated.
the udp port will tell you if it is RTP or RTCP (also worth noting that RTP is usually done over even port numbers and RTCP on odd).
If communucations are done over RTSP, take a look at the udp port that is negotiated upon SETUP. the udp port will tell you if it is RTP or RTCP (also worth noting that RTP is usually done over even port numbers and RTCP on odd).
The RTCP (Real-time Transport Control Protocol) is companion protocol of the RTP protocol (also known as sister protocol) and defined along with RTP. It is an integral part of the RTP protocol which offers the required control functionality to the RTP such as feedback, synchronization and user interface.
1 Answer 1. Typically RTP and RTCP are using a different port. However, Duckduckgoing "RTP and RTCP on the same port" gives my Multiplexing RTP and RTCP on a Single Port, RFC5761.
Look at the definitions for RTP and RTCP packets in RFC 3550:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|V=2|P|X| CC |M| PT | sequence number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| timestamp |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| synchronization source (SSRC) identifier |
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
| contributing source (CSRC) identifiers |
| .... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
I won't reproduce the legend for all of the above - it's quite long - but take a look at Section 5.1.
With that in hand you'll see there's not a lot you can do to determine if a packet contains RTP/RTCP. Best of all would be to sniff, as other posters have suggested, the media stream negotiation. Second best would be some sort've pattern matching over a sequence of packets: the first two bits will be 10, followed by the next two bits being constant, followed by bits 9 through 15 being constant, then 16 -> 31 incrementing, and so on.
I would look at the packet detectors in Wireshark, which can decode most common protocols available.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With