[Windump] RTP streams - uneven packet counts

Robert Jones RobertJ at cctexas.com
Thu May 21 14:08:27 PDT 2009 

Thanks for your prompt response, that is an excellent suggestion!

I have captured a RTP stream session simultaneously with both Windump
and tshark.

I opened both captures up in Wireshark, and filtered for RTP only.  I
then did the RTP stream analysis to save the payload off as an AU file. 
The one captured from tshark was saved, while the one from Windump did
not as it resulted in the same error message regarding the wrong number
of packets.  When using the option to analyze all RTP streams in both,
the packet counts match between both captures.  

Searching for other differences, I did notice that in all of the
packets from the tshark capture, the summary information in Wireshark
indicates "214 bytes on wire, 214 bytes captured" while on the capture
from WinDump, the same line for all of the packets indicate "214 bytes
on wire, 96 bytes catpured".

I'd be happy to run another sample for your review if you'd like, as
this one was a personal phone call to my wife that I'd rather not send
off.

Cheers,

Bob Jones
Information Security Manager
City of Corpus Christi

>>> "Gianluca Varenni" <gianluca.varenni at cacetech.com> 5/21/2009 2:23
PM >>>
It sounds quite strange to me, windump and wireshark use the same
underlying 
capture engine.

Can you try capturing with both wireshark and windump at the same time,
and 
send me the capture file with the number of the packet that is missing
in 
the windump trace?

Have a nice day
GV

----- Original Message ----- 
From: "Robert Jones" <RobertJ at cctexas.com>
To: <windump at winpcap.org>
Sent: Thursday, May 21, 2009 11:59 AM
Subject: [Windump] RTP streams - uneven packet counts


>I ran into difficulty when capturing with windump on a machine that
is
> seeing packets from a Cisco 7940 phone.  Opening up the dump file in
> Wireshark afterwards (on the same machine, thus the same winpcap
> version), there always seems to be a difference of one packet
between
> the forward and reverse RTP streams, which prevents Wireshark from
> saving the payload out to a file.  If I capture with Wireshark, the
> counts match.  I was wondering if this is a known issue, or if I can
> provide some information to help isolate whether this is a bug that
lies
> within Windump or Wireshark.
>
> I'm using windump -i 2 -w dump -C 10
> Pressing Ctrl+C to stop well after the call is finished
> Opening up file in Wireshark (1.07 & 1.05 tested)
> Using the stream analysis function under Analyze, RTP and attempting
to
> save the payload.
>
> Kind Regards,
>
> Bob Jones
> Information Security Manager
> City of Corpus Christi
> _______________________________________________
> Windump mailing list
> Windump at winpcap.org 
> https://www.winpcap.org/mailman/listinfo/windump

More information about the Windump mailing list