Community discussions

MikroTik App
 
Zoolander06
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Thu Jan 03, 2019 5:26 pm

Packet sniffer : how to stream RTP packets ?

Fri Mar 13, 2020 4:22 pm

Hello,

I have to make some SIP debugging, and since the resulting file could be huge, I want to stream it to a server with Wireshark.
No problem with that, everything works nice, but, there is a but !
In wireshark, I can see my SIP packets, but not the associated RTP packets, and I need them for a proper debugging.
Do someone knows how to fix that ?

Joris
 
User avatar
jvanhambelgium
Member Candidate
Member Candidate
Posts: 293
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Packet sniffer : how to stream RTP packets ?

Fri Mar 13, 2020 4:51 pm

In WireShark (as of 2.0) -> Go to Analyze -> Enabled Protocols -> RTP and activate rtp_udp checkbox

Give that a try.
 
tippenring
Member Candidate
Member Candidate
Posts: 243
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: Packet sniffer : how to stream RTP packets ?

Fri Mar 13, 2020 5:14 pm

RTP decode is enabled by default in Wireshark.

Are you filtering out the RTP sessions so the RTP packets are not in the capture? RTP ports are negotiated in the SIP session. Sometimes the same ports are negotiated each time, and sometimes the ports are random. It depends upon how the hosts are designed and configured.

I don't have a SIP/RTP session capture handy to reference, so I'm going from memory here: If you don't have the SIP packets, then I don't believe Wireshark will automatically detect the RTP sessions. In that case, you would have to manually set Wireshark to decode the RTP session.

I recommend capturing the SIP and RTP packets so Wireshark can do its thing. It is much easier.

If the RTP ports aren't easily predictable, I would configure Wireshark to write the packets to a file and then stream all traffic to Wireshark. In the screenshot example, this would configure Wireshark to start a new capture every 100k packets. This prevents the capture files from getting too large to manage. You can then open each file, filter out the traffic you don't want, save to a file again, then use mergecap.exe to merge the desired traffic into a single file for further analysis.
TECH5_2020_03_13_100952.jpg
You do not have the required permissions to view the files attached to this post.
 
Zoolander06
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Thu Jan 03, 2019 5:26 pm

Re: Packet sniffer : how to stream RTP packets ?

Sat Mar 14, 2020 6:57 pm

Hello,

Thanks for answering my topic :)

Actually, I do capture everything going out of my IPBX, and send it to a file.
But, the issue is not here, if I do the same packet capture directly to a file in the Mikrotik router, it works nice, I have both SIP and RTP packets.
But when I stream to Wireshark, there is everything but RTP, it seems like the router doesn't stream them, which is weird...

Joris
 
User avatar
jvanhambelgium
Member Candidate
Member Candidate
Posts: 293
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Packet sniffer : how to stream RTP packets ?

Sat Mar 14, 2020 7:39 pm

Hello,

Thanks for answering my topic :)

Actually, I do capture everything going out of my IPBX, and send it to a file.
But, the issue is not here, if I do the same packet capture directly to a file in the Mikrotik router, it works nice, I have both SIP and RTP packets.
But when I stream to Wireshark, there is everything but RTP, it seems like the router doesn't stream them, which is weird...

Joris
Did you cross-check with for example a tool like tcpdump just to see that it is not a Wireshark problem ? Because if it turns out that your Mikrotik is not even egressing RTP then you might open a ticket/report a bug on this.
On the Sniffer-config part on Mikrotik, do you already apply a filter or some sort ? Or simply take all traffic from interface X and stream it further down to Wireshark ?
 
Zoolander06
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 53
Joined: Thu Jan 03, 2019 5:26 pm

Re: Packet sniffer : how to stream RTP packets ?

Mon Mar 16, 2020 10:27 am

Hello,

I just filter IP addresses, but no filter on protocol or port.
I will check with tcpdump, that's a good idea :)

Thanks,

Joris

Who is online

Users browsing this forum: Bing [Bot], maraujo and 83 guests