Wireshark-users: Re: [Wireshark-users] capturing msn web cam traffic with wireshark.
From: Guy Harris <[email protected]>
Date: Wed, 18 Apr 2007 19:03:52 -0700
On Apr 18, 2007, at 6:43 PM, Wonkyun*^^* Lee wrote:

but i cannot capture any of these things with msn messenger video
conversation, is it b/c it's encrypted?
all i see was just 'udp' protocol saying nothing..
That doesn't necessarily mean you can't *capture* them.  It could just  
mean that Wireshark can't *dissect* them; it might have no dissector  
for whatever protocol MSN Messenger is using, or it might not  
recognize the traffic as being MSN Messenger video traffic.
According to this page:

	http://www.hypothetic.org/docs/msn/client/invitation_types.php

the protocol it uses is RTP, for which Wireshark has a dissector. However, RTP doesn't have a standard port number, so Wireshark can't recognize RTP traffic based on the UDP port number; it would either have to be told that a particular session is RTP traffic, or look at the packet and try to guess whether it's RTP traffic or not.
To tell Wireshark that traffic to or from a particular port is RTP  
traffic, select one of the UDP packets by clicking on it, and then  
select "Dceode As..." from the "Analyze" menu.  Tell it to dissect  
traffic to or from one of the given transport-layer ports as RTP.
To get it to try to guess whether traffic is RTP traffic or not,  
select "Preferences" from the "Edit" menu, open up the "Protocols"  
list, select "RTP" from the list, turn on the "Try to decode RTP  
outside of conversations" option, and click "OK".
That doesn't guarantee that it'll recognize the codec, however.

I also tryed with SKYPE, but i know that it uses their own codec, so there
is no way to capture video frames, and analyze them.
It's possible to capture those frames with Wireshark (or TShark, or  
tcpdump/WinDump, or...).  It's not possible to *analyze* them in  
Wireshark or TShark without a dissector being written for the protocol  
it uses and for the codec it uses.