We're now a non-profit! Support open source packet analysis by making a donation.

Wireshark-users: Re: [Wireshark-users] capturing msn web cam traffic with wireshark.

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 18 Apr 2007 19:03:52 -0700

On Apr 18, 2007, at 6:43 PM, Wonkyun*^^* Lee wrote:

but i cannot capture any of these things with msn messenger video
conversation, is it b/c it's encrypted?
all i see was just 'udp' protocol saying nothing..

That doesn't necessarily mean you can't *capture* them. It could just mean that Wireshark can't *dissect* them; it might have no dissector for whatever protocol MSN Messenger is using, or it might not recognize the traffic as being MSN Messenger video traffic.

According to this page:


the protocol it uses is RTP, for which Wireshark has a dissector. However, RTP doesn't have a standard port number, so Wireshark can't recognize RTP traffic based on the UDP port number; it would either have to be told that a particular session is RTP traffic, or look at the packet and try to guess whether it's RTP traffic or not.

To tell Wireshark that traffic to or from a particular port is RTP traffic, select one of the UDP packets by clicking on it, and then select "Dceode As..." from the "Analyze" menu. Tell it to dissect traffic to or from one of the given transport-layer ports as RTP.

To get it to try to guess whether traffic is RTP traffic or not, select "Preferences" from the "Edit" menu, open up the "Protocols" list, select "RTP" from the list, turn on the "Try to decode RTP outside of conversations" option, and click "OK".

That doesn't guarantee that it'll recognize the codec, however.

I also tryed with SKYPE, but i know that it uses their own codec, so there
is no way to capture video frames, and analyze them.

It's possible to capture those frames with Wireshark (or TShark, or tcpdump/WinDump, or...). It's not possible to *analyze* them in Wireshark or TShark without a dissector being written for the protocol it uses and for the codec it uses.