https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6306
--- Comment #2 from Guy Harris <guy@xxxxxxxxxxxx> 2011-09-03 17:01:32 PDT ---
RTP packets usually *are* UDP packets. Perhaps what you mean is that Wireshark
doesn't recognize the UDP packets as containing RTP. Wireshark can identify
UDP packets as RTP in three ways:
1) if setup traffic, such as SIP traffic, indicating that particular
endpoints will be used for RTP, is in the capture before the RTP traffic, the
dissector for the setup traffic will, well, set up Wireshark to dissect the
traffic in question as RTP;
2) if you tell it to dissect traffic to or from particular UDP ports as RTP
with the "Decode As" menu item, Wireshark will do so;
3) if you enable the "Try to decode RTP outside of conversations"
preference for RTP, Wireshark will use a heuristic to try to identify RTP
packets.
If you have a capture with SIP traffic that sets up later RTP traffic,
Wireshark will be able to identify the RTP traffic based on that. If you save
a subset of the packets that contains only the RTP traffic, and don't have the
heuristic enabled, when Wireshark reads a capture file containing that subset
of the packets it will not identify the RTP traffic as RTP.
The heuristic is weak, and could mis-identify non-RTP traffic as RTP (it's not
clear that any strong heuristic exists), so it's not enabled by default.
There is nothing in any capture file format to support adding "this traffic is
RTP" indications to the file, so saving the RTP subset of the capture cannot
preserve Wireshark's identification of the traffic as RTP. In theory,
extensible file formats such as pcap-ng could support such information, but
nothing has been defined to do that yet.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
