Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] RTCP Frame length check: Wrong

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 10 Apr 2009 11:56:56 -0700
(This is actually a wireshark-users question, not a wireshark-dev question; I'm redirecting this to wireshark-users.)

On Apr 9, 2009, at 3:09 AM, shivani matta wrote:

one option is to type RTCP in filter and it will show the packet.


No, it doesn't - not in my version of Wireshark, not even if you turn on "try to decode RTCP outside of conversations" in the RTCP protocol preferences.

else , its upd packet going from 192.168.253.53 to 192.168.1.194
SrcPort 47894 destport 47891


Packet 63 in the capture you sent, which only dissect as RTCP in my version of Wireshark if you explicitly use "Decode As" - even the heuristics aren't recognizing it as RTCP.

The problem appears to be a bug in the RTCP dissector - for padded packets, it's counting the padding bytes, but not the padding count byte, as part of the packet, so it thinks there's one byte missing. I'll look at fixing the bug.