9.11. RTP

9.11.1. RTP Streams Window

The RTP streams window shows all RTP streams in capture file. Streams can be selected there and on selected streams other tools can be initiated.

Figure 9.8. The “RTP Streams” window

ws tel rtp streams

User can use shortcuts:

  • Selection

    • Ctrl+A - Select all streams
    • Ctrl+I - Invert selection
    • Ctrl+Shift+A - Select none
    • Note: Common Mouse click, Shift+Mouse click and Ctrl+Mouse click works too
  • Find Reverse

    • R - Try search for reverse streams related to already selected streams. If found, selects them in the list too.
    • Shift+R - Select all pair streams (forward/reverse relation).
    • Ctrl+R - Select all single streams (no reverse stream does exist).
  • G - Go to packet of stream under the mouse cursor.
  • M - Mark all packets of selected streams.
  • P - Prepare filter matching selected streams and apply it.
  • E - Export selected streams in RTPDump format.
  • A - Open RTP Stream Analysis window and add selected streams to it.

Available controls are:

  • Find Reverse

    • Find Reverse search for reverse stream of every selected stream. If found, selects it in the list too.
    • Find All Pairs select all streams which have forward/reverse relation.
    • Find Only Single select all streams which are single - have no reverse stream.
  • Analyze opens RTP Stream Analysis window. Actions Set, Add and Remove are available.
  • Prepare Filter prepares filter matching selected streams and apply it.
  • Play Streams opens RTP Player window. Actions Set, Add and Remove are available.
  • Copy copies information from table to clipboard in CSV or YAML.
  • Export exports selected streams in RTPDump format.

9.11.2. RTP Stream Analysis Window

The RTP analysis function takes the selected RTP streams and generates a list of statistics on it including graph.

Menu TelephonyRTPRTP Stream Analysis is enabled only when selected packed is RTP packet. When window is opened, selected RTP stream is added to analysis. If Ctrl is pressed during menu opening, reverse RTP stream (if exists) is added to the window too.

Every stream is shown on own tab. Tabs are numbered as streams are added and its tooltip shows identification of the stream. When tab is closed, number is not reused. Color of tab matches color of graphs on graph tab.

Figure 9.9. The “RTP Stream Analysis” window

ws tel rtpstream analysis 1

Figure 9.10. Error indicated in “RTP Stream Analysis” window

ws tel rtpstream analysis 3

Per packet statistic shows:

  • Packet number
  • Sequence number
  • Delta (ms) to last packet
  • Jitter (ms)
  • Skew
  • Bandwidth
  • Marker - packet is marked in RTP header
  • Status - information related to the packet. E. g. change of codec, DTMF number, warning about incorrect sequence number.

Side panel left to packet list shows stream statistics:

  • Maximal delta and at which packet it occurred
  • Maximal jitter
  • Mean jitter
  • Maximal skew
  • Count of packets
  • Count of lost packets - calculated from sequence numbers
  • When the stream starts and first packet number
  • Duration of the stream
  • Clock drift
  • Frequency drift
[Note]Note

Some statistic columns are calculated only when Wireshark is able to decode codec of RTP stream.

Available shortcuts are:

  • G - Go to selected packet of stream in packet list
  • N - Move to next problem packet

Available controls are:

  • Prepare Filter

    • Current Tab prepares filter matching current tab and applies it.
    • All Tabs prepares filter matching all tabs and applies it.
  • Play Streams opens RTP Player window. Actions Set, Add and Remove are available.
  • Export allows export current stream or all streams as CSV or export graph as image in multiple different formats (PDF, PNG, BMP and JPEG).

Figure 9.11. Graph in “RTP Stream Analysis” window

ws tel rtpstream analysis 2

Graph view shows graph of:

  • jitter
  • difference - absolute value of difference between expected and real time of packet arrival
  • delta - time difference from reception of previous packet

for every stream. Checkboxes below graph are enabling or disabling showing of a graph for every stream. Stream X checkbox enables or disables all graphs for the stream.

[Note]Note

Stream Analysis window contained tool for save audio and payload for analyzed streams. This tool was moved in Wireshark 3.5.0 to RTP Player window. New tool has more features.

9.11.3. RTP Player Window

The RTP Player function is tool for playing VoIP calls. It shows RTP streams and its waveforms, allows play stream and export it as audio or payload to file. See related concepts in Section 9.2, “Playing VoIP Calls”.

Menu TelephonyRTPRTP Player is enabled only when selected packed is RTP packet. When window is opened, selected RTP stream is added to playlist. If Ctrl is pressed during menu opening, reverse RTP stream (if exists) is added to the playlist too.

Figure 9.12. RTP Player window

ws tel rtp player 1

RTP Player Window consists of three parts:

  1. Waveform view
  2. Playlist
  3. Controls

Waveform view shows visual presentation of RTP stream. Color of waveform and playlist row are matching. Height of wave shows volume.

Waveform shows error marks for Out of Sequence, Jitter Drops, Wrong Timestamps and Inserted Silence marks if it happens in a stream.

Figure 9.13. Waveform with error marks

ws tel rtp player 3

Playlist shows information about every stream:

  • Play - Audio routing
  • Source Address, Source Port, Destination Address, Destination Port, SSRC
  • Setup Frame

    • SETUP <number> is shown, when there is known signaling packet. Number is packet number of signaling packet. Note: Word SETUP is shown even RTP stream was initiated e. g. by SKINNY where no SETUP message exists.
    • RTP <number> is shown, when no related signaling was found. Number is packet number of first packet of the stream.
  • Packets - Count of packets in the stream.
  • Time Span - Start - Stop (Duration) of the stream
  • SR - Sample rate of used codec
  • PR - Decoded play rate used for stream playing
  • Payloads - One or more playload types used by the stream
[Note]Note

When rtp_udp is active, most of streams shows just RTP <number> even there is setup frame in capture.

When RTP stream contains multiple codecs, SR and PR is based on first observed coded. Later codecs in stream are resampled to first one.

Controls allow a user to:

  • Start/Pause/Stop playing of unmuted streams
  • >> enabling/disabling silence skipping

    • Min silence - Minimal duration of silence to skip in seconds. Shorter silence is played as it is.
  • Select Output audio device and Output audio rate
  • Select Playback Timing

    • Jitter Buffer - Packets outside Jitter Buffer size are discarded during decoding
    • RTP Timestamp - Packets are ordered and played by its Timestamp, no Jitter Buffer is used
    • Uninterrupted Mode - All gaps (e. g. Comfort Noise, lost packets) are discarded therefore audio is shorted than timespan
  • Time of Day selects whether waveform timescale is shown in seconds from start of capture or in absolute time of received packets
  • Refresh streams refreshes streams during live capture (see Section 9.2.3, “Playing audio during live capture”). Button is disabled when no live capture is running.
  • Inaudible streams

    • Select select all inaudible streams (streams with zero play rate)
    • Deselect deselect all inaudible streams (streams with zero play rate)
  • Analyze open RTP Stream Analysis window. Actions Set, Add and Remove are available.
  • Prepare Filter prepare filter matching selected streams and apply it.
  • Export - See Section 9.11.3.1, “Export”.
[Note]Note

RTP Player detects silence just by missing voice samples (Comfort Noise, interrupted RTP, missing RTP, …​) or when some streams are muted.

Figure 9.14. RTP stream state indication

ws tel rtp player 2

Waveform view and playlist shows state of a RTP stream:

  1. stream is muted (dashed waveform, Muted is shown in Play column) or unmuted (non-dashed waveform, audio routing is shown in Play column)
  2. stream is selected (blue waveform, blue row)
  3. stream is below mouse cursor (bold waveform, bold font)

User can control to where audio of a stream is routed to:

  • L - Left channel
  • L+R - Left and Right (Middle) channel
  • R - Left channel
  • P - Play (when mono soundcard is available only)
  • M - Muted

Audio routing can be changed by double clicking on first column of a row, by shortcut or by menu.

User can use shortcuts:

  • Selection

    • Ctrl+A - Select all streams
    • Ctrl+I - Invert selection
    • Ctrl+Shift+A - Select none
    • Note: Common Mouse click, Shift+Mouse click and Ctrl+Mouse click works too
  • Go to packet

    • G - Go to packet of stream under the mouse cursor
    • Shift+G - Go to setup packet of stream under the mouse cursor
  • Audio routing

    • M - Mute all selected streams
    • Shift+M - Unmute all selected streams
    • Ctrl+M - Invert muting of all selected streams
  • P - Play audio
  • S - Stop playing
  • Del or Ctrl+X - Remove all selected streams from playlist
  • Inaudible steams

    • N - Select all inaudible streams
    • Shift+N - Deselect all inaudible streams

9.11.3.1. Export

[Note]Note

Export was moved from RTP Stream Analysis window to RTP Player window in 3.5.0.

Wireshark is able to export decoded audio in .au or .wav file format. Prior to version 3.2.0, Wireshark only supported exporting audio using the G.711 codec. From 3.2.0 it supports audio export using any codec with 8000 Hz sampling. From 3.5.0 is supported export of any codec, rate is defined by Output Audio Rate.

Export options available:

  • for one or more selected non-muted streams

    • From cursor - Streams are saved from play start cursor. If some streams are shorter, they are removed from the list before save and count of saved streams is lower than count of selected streams.
    • Stream Synchronized Audio - File starts at the begin of earliest stream in export, therefore there is no silence at beginning of exported file.
    • File Synchronized Audio - Streams starts at beginning of file, therefore silence can be at start of file.
  • for just one selected stream

    • Payload - just payload with no information about coded is stored in the file

Audio is exported as multi-channel file - one channel per RTP stream. One or two channels are equal to mono or stereo, but Wireshark can export e.g. 100 channels. For playing a tool with multi-channel support must be used (e.g. https://www.audacityteam.org/).

Export of payload function is useful for codecs not supported by Wireshark.

[Note]Note

Default value of Output Audio Rate is Automatic. When multiple codecs with different codec rates are captured, Wireshark decodes each stream with its own play audio rate. Therefore each stream can has different play audio rate. When export of audio is used in this case, it will fail because .au or .wav requires one common play audio rate.

In this case user must manually select one of rates in Output Audio Rate, streams will be resampled and audio export succeeds.