How to determine if a packet is RTP/RTCP?

May 27, 2010 at 5:42 PM

I am working on a project where I need to capture RTP/RTCP traffic and essentially save the voice as .WAV.

I have been trying to use SharpPCap and PCap.Net. I can filter for UDP packets, but then I am lost. I have no idea what to do next. I assume I need to do something with the UDP payload, but what? I've looked at the RTP spec and the UDP spec but I still can't figure out how you tell that a UDP packet is either RTP or RTCP.

Any clues? I can't even find a reference via Google for how to do this. WireShark can determine if a packet is RTP, but I have no idea how to it does that and digging through the source code has not revealed anything to me yet.




May 28, 2010 at 12:05 PM

If you can give me cap files it would be easier to guess.

I believe that Wireshark identifies RTP packets by looking at SIP packets (port 5060 for example) and seeing in these packets media descriptions that include the media port and addresses. After we know the port and adresses we can figure that the packets that come after the SIP in these ports and addresses are the RTP packets.

I'm not sure about RTCP, but I believe this is similar. Again, cap files examples would be helpful to answer that.


I hope this helps.



Jun 1, 2010 at 5:46 PM

Hm, not entirely helpful. We're using H.323, not SIP.

There has to be a way to identify the packet. Else why do these "standards" that describe these protocols even exist?

Jun 1, 2010 at 6:39 PM

I have to see examples for pcap files that Wireshark identfies.

I believe it identifies the packets using packets of different protocols that define the ports to use or other parameters.

This is similar to file transfer protocols that negotiate on opening a connection on one protocol and then open the connection that cannot be identified without seeing the negotiation.

Jul 7, 2010 at 2:41 PM
Wireshark identifies RTP packets via two methods. 1) Parses out the SDP info inside of SIP packets and then tracks the associated IP/Port pair as RTP traffic 2) Compares the first few bytes of every UDP packet to the known signature of an RTP packets and if its close enough, treats it as RTP
Jul 7, 2010 at 3:48 PM
Thanks wolfson292, I believe the best thing would be to give an example of a .cap/.pcap file with sample packets so I can see what exactly is needed. Boaz.