RTP flow identification
Carter Bullard
carter at qosient.com
Sun Feb 7 23:17:01 EST 2010
Hey Can Desem,
Hmmm, its a bug in the client programs, not argus.
Try this patch to the clients library, and see if that doesn't help.
Carter
==== //depot/argus/clients/common/argus_client.c#156 - /home/carter/argus/clients/common/argus_client.c ====
3567c3567
< if (cnt == sizeof(*rtp))
---
> if (cnt == (sizeof(*rtp) + 4))
On Feb 7, 2010, at 7:13 PM, Desem, Can wrote:
>
> Previously, (with argus 2.xx) "rtp" would be identifed at the protocol field. However this does not seem to be the case with current argus, or I am not using the tools properly.
>
> Here is what I have done: I have downloaded a sample file from http://wiki.wireshark.org/SampleCaptures which has SIP and RTP packets in a file called "h223-over-rtp.pcap.gz".
>
> The simple commands I use are;
>
> gzip -cd h223-over-rtp.pcap.gz | argus -r- -w- |ra
>
> With argus 2.0.6 I get
>
> 08 Feb 10 11:03:20 man 229.97.122.203 v2.0 1 0 0 0 0 0 STA
> 06 Jan 07 03:20:16 udp 83.166.68.63.32090 -> 239.42.37.1.32090 1 0 286 0 CON
> 06 Jan 07 03:20:44 udp 83.166.68.46.5060 <-> 83.166.68.63.5060 4 3 2150 1346 CON
> 06 Jan 07 03:20:44 rtp 83.166.68.63.33238 <-> 83.166.68.46.36780 375 344 80566 73616 CON
> 06 Jan 07 03:20:52 udp 83.166.68.63.32090 -> 239.42.37.1.32090 1 0 311 0 CON
> 08 Feb 10 11:03:20 man 229.97.122.203 v2.0 5 0 728 0 158281 4 SHT
>
> With argus 3.0.2, I get;
>
> 03:20:13.261047 e arp 83.166.68.63 who 83.166.68.1 6 360 INT
> 03:20:16.733770 e udp 83.166.68.63.32090 -> 239.42.37.1.32090 1 286 INT
> 03:20:19.261849 e arp 83.166.68.63 who 83.166.68.1 6 360 INT
> 03:20:25.262514 e arp 83.166.68.63 who 83.166.68.1 6 360 INT
> 03:20:31.263310 e arp 83.166.68.63 who 83.166.68.1 6 360 INT
> 03:20:37.263980 e arp 83.166.68.63 who 83.166.68.1 6 360 INT
> 03:20:43.264761 e arp 83.166.68.63 who 83.166.68.1 6 360 INT
> 03:20:44.930507 e udp 83.166.68.63.33238 <-> 83.166.68.46.36780 469 100854 CON
> 03:20:44.919395 e arp 83.166.68.46 who 83.166.68.63 4 222 CON
> 03:20:44.919598 e udp 83.166.68.46.5060 <-> 83.166.68.63.5060 5 2616 CON
> 03:20:49.265574 e arp 83.166.68.63 who 83.166.68.1 6 360 INT
> 03:20:49.934778 eU udp 83.166.68.63.33238 <-> 83.166.68.46.36780 250 53334 CON
> 03:20:52.439296 e udp 83.166.68.46.5060 <-> 83.166.68.63.5060 2 880 CON
> 03:20:52.451542 e icmp 83.166.68.46.0x0303 -> 83.166.68.63.0xac8f 2 324 URP
> 03:20:52.508279 e udp 83.166.68.63.32090 -> 239.42.37.1.32090 1 311 INT
>
> So in the former case "rtp" is identified but not in the latest version of argus.
>
> Is this too simplistic? Should I be using some more complex filtering options?
>
> Regards,
> Can Desem
>
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100207/0e7fe097/attachment.bin>
More information about the argus
mailing list