The tool for playing VoIP calls is called RTP Player. It shows RTP streams and its waveforms, allows play stream and export it as audio or payload to file. Its capabilities depend on supported codecs.
RTP Player is able to play any codec supported by an installed plugin. The codecs supported by RTP Player depend on the version of Wireshark you’re using. The official builds contain all of the plugins maintained by the Wireshark developers, but custom/distribution builds might not include some of those codecs. To check your Wireshark installation’s installed codec plugins, do the following:
- Open → window
- Select the tab
- In the menu on the top-right, select codec
Wireshark can be used for RTP stream analysis. User can select one or more streams which can be played later. RTP Player window maintains playlist (list of RTP streams) for this purpose.
Playlist is created empty when RTP Player window is opened and destroyed when window is closed. RTP Player window can be opened on background when not needed and put to front later. During its live, playlist is maintained.
When RTP Player window is opened, playlist can be modified from other tools (Wireshark windows) in three ways:
- button → clears existing playlist and adds streams selected in the tool.
- button → adds streams selected in the tool to playlist. Duplicated streams are not inserted again.
- button → removes streams selected in the tool from playlist, if they are in the playlist.
button can be clicked directly and opens RTP Player window directly with action. All actions can be selected with the small down arrow next to the button.
When the playlist is empty, there is no difference between and . When the RTP Player window is not opened, all three actions above open it.
is useful e.g. in case user selected all RTP streams and wants to remove RTP streams from specific calls found with .
Tools below can be used to maintain content of playlist, they contain button. You can use one of procedures (Note: action is demonstrated):
- Open → → window, it will show all streams in the capture. Select one or more streams and then press . Selected streams are added to playlist.
-
Select any RTP packet in packet list, open → → window. It will show analysis of selected forward stream and its reverse stream (if is pressed during window opening). Then press . Forward and reverse stream is added to playlist.
- window can be opened from other tools too.
- Open → or → window, it will show all calls. Select one or more calls and then press . It will add all RTP streams related to selected calls to playlist.
- Open window in → or → window, it will show flow sequence of calls. Select any RTP stream and then press . It will add selected RTP stream to playlist.
![[Note]](images/note.svg) | Note |
|---|---|
|
Same approach with set/add/remove actions is used for RTP Stream Analysis window. The playlist is there handled as different tabs in the window, see RTP Stream Analysis window. |
Decoding RTP payload and showing waveforms is time consuming task. To speedup it RTP Player window uses copy of packet payload for all streams in the playlist. During live capture the dialog is not refreshed automatically as other Wireshark dialogs, but user must initiate it.
The copy is created or refreshed and dialog updated:
- Every time window is opened.
- Every time a new stream is added or set.
- During live capture, when is pressed.
- Every time live capture is finished/stopped by a user.
When capture file is opened (no live capturing), streams are read complete, no user action is required. Button is disabled as it is useless.
When live capture is running, streams are read only till "now" and are shown. When stream is continuous and user would like to see additional part, they must press . When the user ends live capture, view is refreshed and button is disabled.
| Note |
|---|---|
|
RTP Player dialog stays open even live capture is stopped and then started again. Play list stays unchanged. Therefore, tries to read same streams as before and shows them if they are still running. Past part of them (from previous live capture) is lost. |
RTP is carried usually in UDP packets with random source and destination ports. Therefore, Wireshark can only recognize RTP streams based on VoIP signaling, e.g., based on SDP messages in SIP signaling. If signaling is not captured, Wireshark shows just UDP packets. However, there are multiple settings which help Wireshark recognize RTP even when there is no related signaling.
You can use Decode As… function from → menu or in mouse context menu. Here you can set that traffic on specific source or destination should be decoded as RTP. You can save settings for later use.
Use of menu works fine, but is arduous for many streams.
You can enable heuristic dissector in → . See Section 11.4, “Control Protocol Dissection” for details. Once is enabled, Wireshark tries to decode every UDP packet as RTP. If decoding is possible, packet (and entire UDP stream) is decoded as RTP.
When an RTP stream uses a well-known port, the heuristic dissector ignores it. So you might miss some RTP streams. You can enable setting for udp protocol → → → , see Section 11.5, “Preferences”. In this case heuristics dissector tries to decode UDP packet even it uses a well-known port.
| Note |
|---|---|
|
Take into account that heuristics is just simple "test" whether packet can be read as RTP. It can be false positive and you can see decoded as RTP more UDP packets than expected. When you enable → , it increases possibility of false positives. If you capture all traffic in network, false positives rate can be quite high. |
RTP Player must store decoded data somewhere to be able to play it. When data are decoded, there are audio samples and dictionary for fast navigation. Both types of data are stored in memory for default, but you can configure Wireshark to store it on disk. There are two settings:
- ui.rtp_player_use_disk1 - When set to FALSE (default), audio samples are kept in memory. When set to TRUE, audio samples are stored on temporary file.
- ui.rtp_player_use_disk2 - When set to FALSE (default), dictionary is kept in memory. When set to TRUE, dictionary is stored on temporary file.
When any data are configured to be stored on disk, one file is created for each stream. Therefore, there might be up to two files for one RTP stream (audio samples and dictionary). If your OS or user has OS enforced limit for count of opened files (most of Unix/Linux systems), you can see fewer streams that was added to playlist. Warnings are printed on console in this case and you will see fewer streams in the playlist than you send to it from other tools.
For common use you can use default settings - store everything in memory. When you will be out of memory, switch ui.rtp_player_use_disk1 to TRUE first - it saves much more memory than ui.rtp_player_use_disk2.
Processing of RTP and decoding RTP voice takes resources. There are raw estimates you can use as guidelines…
RTP Streams window can show as many streams as found in the capture. Its performance is limited just by memory and CPU.
RTP Player can handle 1000+ streams, but take into account that waveforms are very small and difficult to recognize in this case.
RTP Player plays audio by OS sound system and OS is responsible for mixing audio when multiple streams are played. In many cases OS sound system has limited count of mixed streams it can play/mix. RTP Player tries to handle playback failures and show warning. If it happens, just mute some streams and start playback again.
RTP Analysis window can handle 1000+ streams, but it is difficult to use it with so many streams - it is difficult to navigate between them. It is expected that RTP Analysis window will be used for analysis of lower tens of streams.