RTP flow identification

Desem, Can Can.Desem at team.telstra.com
Sun Feb 7 19:13:56 EST 2010 

 
Previously, (with argus 2.xx) "rtp" would be identifed at the protocol field. However this does not seem to be the case with current argus, or I am not using the tools properly.

Here is what I have done: I have downloaded a sample file from http://wiki.wireshark.org/SampleCaptures which has SIP and RTP packets in a file called "h223-over-rtp.pcap.gz".

The simple commands I use are;

gzip -cd h223-over-rtp.pcap.gz | argus -r- -w- |ra 

With argus 2.0.6 I get 

08 Feb 10 11:03:20           man  229.97.122.203  v2.0                   1 0     0        0         0            0           STA
06 Jan 07 03:20:16           udp    83.166.68.63.32090  ->     239.42.37.1.32090 1        0         286          0           CON
06 Jan 07 03:20:44           udp    83.166.68.46.5060  <->    83.166.68.63.5060  4        3         2150         1346        CON
06 Jan 07 03:20:44           rtp    83.166.68.63.33238 <->    83.166.68.46.36780 375      344       80566        73616       CON
06 Jan 07 03:20:52           udp    83.166.68.63.32090  ->     239.42.37.1.32090 1        0         311          0           CON
08 Feb 10 11:03:20           man  229.97.122.203  v2.0                   5 0     728      0         158281       4           SHT

With argus 3.0.2, I get;

   03:20:13.261047  e         arp       83.166.68.63          who        83.166.68.1               6        360   INT
   03:20:16.733770  e         udp       83.166.68.63.32090     ->        239.42.37.1.32090         1        286   INT
   03:20:19.261849  e         arp       83.166.68.63          who        83.166.68.1               6        360   INT
   03:20:25.262514  e         arp       83.166.68.63          who        83.166.68.1               6        360   INT
   03:20:31.263310  e         arp       83.166.68.63          who        83.166.68.1               6        360   INT
   03:20:37.263980  e         arp       83.166.68.63          who        83.166.68.1               6        360   INT
   03:20:43.264761  e         arp       83.166.68.63          who        83.166.68.1               6        360   INT
   03:20:44.930507  e         udp       83.166.68.63.33238    <->       83.166.68.46.36780       469     100854   CON
   03:20:44.919395  e         arp       83.166.68.46          who       83.166.68.63               4        222   CON
   03:20:44.919598  e         udp       83.166.68.46.5060     <->       83.166.68.63.5060          5       2616   CON
   03:20:49.265574  e         arp       83.166.68.63          who        83.166.68.1               6        360   INT
   03:20:49.934778  eU        udp       83.166.68.63.33238    <->       83.166.68.46.36780       250      53334   CON
   03:20:52.439296  e         udp       83.166.68.46.5060     <->       83.166.68.63.5060          2        880   CON
   03:20:52.451542  e        icmp       83.166.68.46.0x0303    ->       83.166.68.63.0xac8f        2        324   URP
   03:20:52.508279  e         udp       83.166.68.63.32090     ->        239.42.37.1.32090         1        311   INT

So in the former case "rtp" is identified but not in the latest version of argus.

Is this too simplistic?  Should I be using some more complex filtering options? 

Regards,
Can Desem

More information about the argus mailing list