Hi,
Dissection of UDP packets are based on Port number, heuristics or
conversation.
First it is checked if I conversation is set up for the packet with a
predetermined dissector.
If the control signalling for this RTP session was in the trace and seting
up conversation is implemented for the
Control protocol ( SIP, H323 RTSP
) the UDP packets would have been
dissected as RTP.
Secondly ( if preferences isnt set differently) the packet is dissected by
the dissector registered for one of the ports used
The WCCP port is 2048 so if that port is used for your RTP session thats
why it gets dissected as WCCP.
As a third option dissectors registered as heuristics is tried meaning that
a portion of the packet is checked to see
If it could be the protocol in question. Preferences can be set in RTP to
try heuristics but as there is no good
Way to determine if its an RTP packet or not it may pick up more UDP
packets than wanted.
BR
Anders
________________________________________
Från: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] För Chet Seligman
Skickat: den 5 januari 2007 04:04
Till: wireshark-users@xxxxxxxxxxxxx
Ämne: [Wireshark-users] RTP decoded as WCCP (malformed packet)
When I tell WS
to decode as RTP it does so correctly, displaying 214byte normal G.711
packets.
These can be turned into understandable audio.
Can anyone explain why the original protocol decode is WCCP with a very
large packet length listed?
