RTP flow identification
Carter Bullard
carter at qosient.com
Mon Feb 8 09:18:28 EST 2010
Yes, I've added it to the base code, so definitely add it to yours.
Carter
On Feb 8, 2010, at 12:09 AM, Desem, Can wrote:
> Hey Carter,
>
> Should this fix be applied to "rtcp" as well?
>
> Regards,
> Can Desem
>
> -----Original Message-----
> From: argus-info-bounces+can.desem=team.telstra.com at lists.andrew.cmu.edu [mailto:argus-info-bounces+can.desem=team.telstra.com at lists.andrew.cmu.edu] On Behalf Of Desem, Can
> Sent: Monday, 8 February 2010 4:04 PM
> To: Carter Bullard
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] RTP flow identification
>
> Thanks Carter,
>
> This seems to fix it.
>
> Can Desem
>
> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com]
> Sent: Monday, 8 February 2010 3:17 PM
> To: Desem, Can
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] RTP flow identification
>
> Hey Can Desem,
> Hmmm, its a bug in the client programs, not argus.
> Try this patch to the clients library, and see if that doesn't help.
>
> Carter
>
> ==== //depot/argus/clients/common/argus_client.c#156 - /home/carter/argus/clients/common/argus_client.c ====
> 3567c3567
> < if (cnt == sizeof(*rtp))
> ---
>> if (cnt == (sizeof(*rtp) + 4))
>
>
>
> On Feb 7, 2010, at 7:13 PM, Desem, Can wrote:
>
>>
>> Previously, (with argus 2.xx) "rtp" would be identifed at the protocol field. However this does not seem to be the case with current argus, or I am not using the tools properly.
>>
>> Here is what I have done: I have downloaded a sample file from http://wiki.wireshark.org/SampleCaptures which has SIP and RTP packets in a file called "h223-over-rtp.pcap.gz".
>>
>> The simple commands I use are;
>>
>> gzip -cd h223-over-rtp.pcap.gz | argus -r- -w- |ra
>>
>> With argus 2.0.6 I get
>>
>> 08 Feb 10 11:03:20 man 229.97.122.203 v2.0 1 0 0 0 0 0 STA
>> 06 Jan 07 03:20:16 udp 83.166.68.63.32090 -> 239.42.37.1.32090 1 0 286 0 CON
>> 06 Jan 07 03:20:44 udp 83.166.68.46.5060 <-> 83.166.68.63.5060 4 3 2150 1346 CON
>> 06 Jan 07 03:20:44 rtp 83.166.68.63.33238 <-> 83.166.68.46.36780 375 344 80566 73616 CON
>> 06 Jan 07 03:20:52 udp 83.166.68.63.32090 -> 239.42.37.1.32090 1 0 311 0 CON
>> 08 Feb 10 11:03:20 man 229.97.122.203 v2.0 5 0 728 0 158281 4 SHT
>>
>> With argus 3.0.2, I get;
>>
>> 03:20:13.261047 e arp 83.166.68.63 who 83.166.68.1 6 360 INT
>> 03:20:16.733770 e udp 83.166.68.63.32090 -> 239.42.37.1.32090 1 286 INT
>> 03:20:19.261849 e arp 83.166.68.63 who 83.166.68.1 6 360 INT
>> 03:20:25.262514 e arp 83.166.68.63 who 83.166.68.1 6 360 INT
>> 03:20:31.263310 e arp 83.166.68.63 who 83.166.68.1 6 360 INT
>> 03:20:37.263980 e arp 83.166.68.63 who 83.166.68.1 6 360 INT
>> 03:20:43.264761 e arp 83.166.68.63 who 83.166.68.1 6 360 INT
>> 03:20:44.930507 e udp 83.166.68.63.33238 <-> 83.166.68.46.36780 469 100854 CON
>> 03:20:44.919395 e arp 83.166.68.46 who 83.166.68.63 4 222 CON
>> 03:20:44.919598 e udp 83.166.68.46.5060 <-> 83.166.68.63.5060 5 2616 CON
>> 03:20:49.265574 e arp 83.166.68.63 who 83.166.68.1 6 360 INT
>> 03:20:49.934778 eU udp 83.166.68.63.33238 <-> 83.166.68.46.36780 250 53334 CON
>> 03:20:52.439296 e udp 83.166.68.46.5060 <-> 83.166.68.63.5060 2 880 CON
>> 03:20:52.451542 e icmp 83.166.68.46.0x0303 -> 83.166.68.63.0xac8f 2 324 URP
>> 03:20:52.508279 e udp 83.166.68.63.32090 -> 239.42.37.1.32090 1 311 INT
>>
>> So in the former case "rtp" is identified but not in the latest version of argus.
>>
>> Is this too simplistic? Should I be using some more complex filtering options?
>>
>> Regards,
>> Can Desem
>>
>>
>>
>>
>>
>
>
Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100208/a0c4d1e8/attachment.bin>
More information about the argus
mailing list