Wireshark · Wireshark-users: Re: [Wireshark-users] Correct method to filter an RTP stream

["Keith French" <keithfrench@xxxxxxxxxxxxx>]

I have further found a difference in the number of frames displayed by the two filter methods on my problematic trace.

 

rtp.setup-frame returns 4363 frames

 

SSID returns 5770

 

If I then do a "Show all streams" on the whole trace, all streams share the same SSID:-

 

 

Obviously looking at the first two streams, I can see where the packet loss is coming from when I filter on the SSID. Before I think of going any further with it I would appreciate some guidance on which filter method I should use.

 

Keith French.

 

From: Keith French

Sent: Wednesday, December 23, 2009 10:15 AM

To: Wireshark-Users

Subject: [Wireshark-users] Correct method to filter an RTP stream

I am running Wireshark V 1.2.5 on Windows 7 and I have a question on what is the correct method to find all packets in an RTP stream from a trace that has multiple H.323 calls in it.

 

I use "VoIP Calls" and highlight the call I am interested in and click "Prepare Filter". This will give one or maybe a few RTP packets.

 

Originally I thought that the correct method was to use the RTP setup frame :-

 

rtp.setup-frame == 4

 

However, I was advised by someone that I should use the RTP SSID:-

 

rtp.ssrc == 0xb1854be7

 

I have a trace where if I filter on the SSID I get 95% RTP packet loss, but if I filter on it via the RTP setup frame, I get 0% RTP packet loss.

 

Which method should I be using?

 

Keith French

---

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe