The tool for playing VoIP calls is called RTP Player. It shows RTP streams and its waveforms, allows play stream and export it as audio or payload to file. Its capabilities depends on supported codecs.
RTP Player is able to play any codec supported by an installed plugins. The codecs supported by RTP Player depend on the version of Wireshark you’re using. The official builds contain all of the plugins maintained by the Wireshark developers, but custom/distribution builds might not include some of those codecs. To check your Wireshark follow this procedure:
Wireshark can be used for RTP stream analysis. User can select one or more streams which can be played later. RTP Player window maintains playlist (list of RTP streams) for this purpose.
Playlist is created empty when RTP Player window is opened and destroyed when window is closed. RTP Player window can be opened on background when not needed and put to front later. During its live, playlist is maintained.
When RTP Player window is opened, playlist can be modified from other tools (Wireshark windows) in three ways:
button can be clicked directly and opens RTP Player window directly with action. All actions are selectable by small down arrow next to button.
When playlist is empty, there is no difference betweenand . When RTP Player window is not opened, all three actions above open it.
is useful e. g. in case user selected all RTP streams and wants to remove RTP streams from specific calls found with .
Tools below can be used to maintain content of playlist, they containbutton. You can use one of procedures (Note: action is demonstrated):
Select any RTP packet in packet list, open→ → window. It will show analysis of selected forward stream and its reverse stream (if is pressed during window opening). Then press . Forward and reverse stream is added to playlist.
Same approach with set/add/remove actions is used for RTP Stream Analysis window. The playlist is there handled as different tabs in the window, see RTP Stream Analysis window.
Decoding RTP payload and showing waveforms is time consuming task. To speedup it RTP Player window uses copy of packet payload for all streams in the playlist. During live capture the dialog is not refreshed automatically as other Wireshark dialogs, but user must initiate it.
The copy is created or refreshed and dialog updated:
When capture file is opened (no live capturing), streams are read complete, no user action is required. Buttonis disabled as it is useless.
When live capture is running, streams are read only till "now" and are shown. When stream is continuous and user would like to see additional part, they must press. When the user ends live capture, view is refreshed and button is disabled.
RTP Player dialog stays open even live capture is stopped and then started again. Play list stays unchanged. Thereforetries to read same streams as before and shows them if they are still running. Past part of them (from previous live capture) is lost.
RTP is carried usually in UDP packets, on random source and destination port. Therefore without "help" Wireshark can’t recognize it and shows just UDP packets. Wireshark recognizes RTP streams based on VoIP signaling, e. g. based on SDP message in SIP signaling. When signaling is not captured, Wireshark shows just UDP packets. There are multiple settings which helps Wireshark to recognize RTP even there is no related signaling.
You can use Decode As… function from → menu or in mouse context menu. Here you can set that traffic on specific source or destination should be decoded as RTP. You can save settings for later use.
Use ofmenu works fine, but for many streams it is arduous.
You can enable heuristic dissector Section 11.4, “Control Protocol dissection” for details. Once is enabled, Wireshark tries every UDP packet to decode as RTP. If decoding is possible, packet (and entire UDP stream) is decoded as RTP.in → . See
When RTP stream uses well know port, heuristic dissector ignores it. So you might miss some RTP streams. You can enable setting for udp protocol Section 11.5, “Preferences”. In this case heuristics dissector tries to decode UDP packet even it uses well known.→ → → , see
Take into account that heuristics is just simple "test" whether packet can be read as RTP. It can be false positive and you can see decoded as RTP more UDP packets than expected.
When you enable→ , it increases possibility of false positives. If you capture all traffic in network, false positives rate can be quite high.
RTP Player must store decoded data somewhere to be able to play it. When data are decoded, there are audio samples and dictionary for fast navigation. Both types of data are stored in memory for default, but you can configure Wireshark to store it on disk. There are two settings:
When any data are configured to be stored on disk, one file is created for each stream. Therefore there might be up to two files for one RTP stream (audio samples and dictionary). If your OS or user has OS enforced limit for count of opened files (most of Unix/Linux systems), you can see fewer streams that was added to playlist. Warnings are printed on console in this case and you will see fewer streams in the playlist than you send to it from other tools.
For common use you can use default settings - store everything in memory. When you will be out of memory, switch ui.rtp_player_use_disk1 to TRUE first - it saves much more memory than ui.rtp_player_use_disk2.
Processing of RTP and decoding RTP voice takes resources. There are raw estimates you can use as guidelines…
RTP Streams window can show as many streams as found in the capture. Its performance is limited just by memory and CPU.
RTP Player can handle 1000+ streams, but take into account that waveforms are very small and difficult to recognize in this case.
RTP Player plays audio by OS sound system and OS is responsible for mixing audio when multiple streams are played. In many cases OS sound system has limited count of mixed streams it can play/mix. RTP Player tries to handle playback failures and show warning. If it happens, just mute some streams and start playback again.
RTP Analysis window can handle 1000+ streams, but it is difficult to use it with so many streams - it is difficult to navigate between them. It is expected that RTP Analysis window will be used for analysis of lower tens of streams.