RTP flow identification

Carter Bullard carter at qosient.com
Sun Feb 7 23:17:01 EST 2010


Hey Can Desem,
Hmmm, its a bug in the client programs, not argus.
Try this patch to the clients library, and see if that doesn't help.

Carter

==== //depot/argus/clients/common/argus_client.c#156 - /home/carter/argus/clients/common/argus_client.c ====
3567c3567
<                               if (cnt == sizeof(*rtp))
---
>                               if (cnt == (sizeof(*rtp) + 4))



On Feb 7, 2010, at 7:13 PM, Desem, Can wrote:

> 
> Previously, (with argus 2.xx) "rtp" would be identifed at the protocol field. However this does not seem to be the case with current argus, or I am not using the tools properly.
> 
> Here is what I have done: I have downloaded a sample file from http://wiki.wireshark.org/SampleCaptures which has SIP and RTP packets in a file called "h223-over-rtp.pcap.gz".
> 
> The simple commands I use are;
> 
> gzip -cd h223-over-rtp.pcap.gz | argus -r- -w- |ra 
> 
> With argus 2.0.6 I get 
> 
> 08 Feb 10 11:03:20           man  229.97.122.203  v2.0                   1 0     0        0         0            0           STA
> 06 Jan 07 03:20:16           udp    83.166.68.63.32090  ->     239.42.37.1.32090 1        0         286          0           CON
> 06 Jan 07 03:20:44           udp    83.166.68.46.5060  <->    83.166.68.63.5060  4        3         2150         1346        CON
> 06 Jan 07 03:20:44           rtp    83.166.68.63.33238 <->    83.166.68.46.36780 375      344       80566        73616       CON
> 06 Jan 07 03:20:52           udp    83.166.68.63.32090  ->     239.42.37.1.32090 1        0         311          0           CON
> 08 Feb 10 11:03:20           man  229.97.122.203  v2.0                   5 0     728      0         158281       4           SHT
> 
> With argus 3.0.2, I get;
> 
>   03:20:13.261047  e         arp       83.166.68.63          who        83.166.68.1               6        360   INT
>   03:20:16.733770  e         udp       83.166.68.63.32090     ->        239.42.37.1.32090         1        286   INT
>   03:20:19.261849  e         arp       83.166.68.63          who        83.166.68.1               6        360   INT
>   03:20:25.262514  e         arp       83.166.68.63          who        83.166.68.1               6        360   INT
>   03:20:31.263310  e         arp       83.166.68.63          who        83.166.68.1               6        360   INT
>   03:20:37.263980  e         arp       83.166.68.63          who        83.166.68.1               6        360   INT
>   03:20:43.264761  e         arp       83.166.68.63          who        83.166.68.1               6        360   INT
>   03:20:44.930507  e         udp       83.166.68.63.33238    <->       83.166.68.46.36780       469     100854   CON
>   03:20:44.919395  e         arp       83.166.68.46          who       83.166.68.63               4        222   CON
>   03:20:44.919598  e         udp       83.166.68.46.5060     <->       83.166.68.63.5060          5       2616   CON
>   03:20:49.265574  e         arp       83.166.68.63          who        83.166.68.1               6        360   INT
>   03:20:49.934778  eU        udp       83.166.68.63.33238    <->       83.166.68.46.36780       250      53334   CON
>   03:20:52.439296  e         udp       83.166.68.46.5060     <->       83.166.68.63.5060          2        880   CON
>   03:20:52.451542  e        icmp       83.166.68.46.0x0303    ->       83.166.68.63.0xac8f        2        324   URP
>   03:20:52.508279  e         udp       83.166.68.63.32090     ->        239.42.37.1.32090         1        311   INT
> 
> So in the former case "rtp" is identified but not in the latest version of argus.
> 
> Is this too simplistic?  Should I be using some more complex filtering options? 
> 
> Regards,
> Can Desem
> 
> 
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100207/0e7fe097/attachment.bin>


More information about the argus mailing list