Login/Register
How do I determine if a packet is RTP/RTCP?
Asked Answered
Solved c#udprtpsharppcaprtcp
R

4

12

I am using SharpPCap which is built on WinPCap to capture UDP traffic. My end goal is to capture the audio data from H.323 and save those phone conversations as WAV files. But first thing is first - I need to figure out what my UDP packets are crossing the NIC.

SharpPCap provides a UdpPacket class that gives me access to the PayloadData of the message. But I am unsure what do with this data. It's a Byte[] array and I don't know how to go about determining if it's an RTP or RTCP packet.

I've Googled this topic but there isn't much out there. Any help is appreciated.

Reportorial answered 26/5, 2010 at 19:38 Comment(0)
N
6

Look at the definitions for RTP and RTCP packets in RFC 3550:

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|V=2|P|X|  CC   |M|     PT      |       sequence number         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                           timestamp                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           synchronization source (SSRC) identifier            |
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
|            contributing source (CSRC) identifiers             |
|                             ....                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

I won't reproduce the legend for all of the above - it's quite long - but take a look at Section 5.1.

With that in hand you'll see there's not a lot you can do to determine if a packet contains RTP/RTCP. Best of all would be to sniff, as other posters have suggested, the media stream negotiation. Second best would be some sort've pattern matching over a sequence of packets: the first two bits will be 10, followed by the next two bits being constant, followed by bits 9 through 15 being constant, then 16 -> 31 incrementing, and so on.

Neilneila answered 11/7, 2010 at 8:4 Comment(1)
Thanks Frank. As it turns out, checking the bytes in the RTP header and checking for basically the version and payload type are enough to determine if it's an RTP packet. At least so far I haven't found any other packets on the network that have the same first few bits. Looking for that and then the SSRC was enough to figure out which packets were RTP. But, I changed jobs and don't have to worry about the rest of this problem, so you get the checkmark!Reportorial
S
2

I would look at the packet detectors in Wireshark, which can decode most common protocols available.

Squatness answered 26/5, 2010 at 19:40 Comment(3)
I appreciate the effort theatrus, but it doesn't really answer my question. I'm really more interested in the theoretical knowledge of the packet structure so I can understand how to go about solving the problem. How does one determine a UDP packet is actually an RTP or RTCP packet? I can't find anything in the UDP header that helps with this.Reportorial
Nothing in the UDP header will tell you apart from the port number. You need to perform pattern matching on the packet data.Squatness
I think I am beginning to figure out there is a lot more to this puzzle than meets the eye. We're trying to detect traffic from the H.323 protocol, and what I'm reading is that it uses a bevvy of TCP ports as well to setup the communication before the RTP traffic even starts. So far I am having little luck in finding good info about how to go about capturing this traffic though.Reportorial
W
1

If communucations are done over RTSP, take a look at the udp port that is negotiated upon SETUP.

the udp port will tell you if it is RTP or RTCP (also worth noting that RTP is usually done over even port numbers and RTCP on odd).

finally if you are communicating via RTSP you can take the list of payload numbers from the SDP file from the DESCRIBE and then check the payload type in the RTP header to tell the codec you need to decode the payload.

Westfalen answered 12/1, 2015 at 11:52 Comment(0)
A
0

I believe you need to look at the SIP packets that come before the RTP packets.

There is a discussion on this issue on Pcap.Net site.

Aspidistra answered 28/5, 2010 at 21:14 Comment(1)
Thanks brickner. We're looking at H.323 traffic instead of SIP, so that changes things a bit. It's looking rather complicated at this point.Reportorial

© 2022 - 2024 — McMap. All rights reserved.