[Windump] RTP streams - uneven packet counts

Gianluca Varenni gianluca.varenni at cacetech.com
Fri May 22 06:11:36 PDT 2009 

By default when you capture with windump only the first 96 bytes of the 
packet get captured. That could be the reason for what you see. You can 
change this value by using option "-s" of windump.


windump -i 2 -w dump -C 10 -s 65535


Hope it helps
GV

----- Original Message ----- 
From: "Robert Jones" <RobertJ at cctexas.com>
To: "Gianluca Varenni" <gianluca.varenni at cacetech.com>; 
<windump at winpcap.org>
Sent: Thursday, May 21, 2009 2:08 PM
Subject: Re: [Windump] RTP streams - uneven packet counts


> Thanks for your prompt response, that is an excellent suggestion!
>
> I have captured a RTP stream session simultaneously with both Windump
> and tshark.
>
> I opened both captures up in Wireshark, and filtered for RTP only.  I
> then did the RTP stream analysis to save the payload off as an AU file.
> The one captured from tshark was saved, while the one from Windump did
> not as it resulted in the same error message regarding the wrong number
> of packets.  When using the option to analyze all RTP streams in both,
> the packet counts match between both captures.
>
> Searching for other differences, I did notice that in all of the
> packets from the tshark capture, the summary information in Wireshark
> indicates "214 bytes on wire, 214 bytes captured" while on the capture
> from WinDump, the same line for all of the packets indicate "214 bytes
> on wire, 96 bytes catpured".
>
> I'd be happy to run another sample for your review if you'd like, as
> this one was a personal phone call to my wife that I'd rather not send
> off.
>
> Cheers,
>
> Bob Jones
> Information Security Manager
> City of Corpus Christi
>
>>>> "Gianluca Varenni" <gianluca.varenni at cacetech.com> 5/21/2009 2:23
> PM >>>
> It sounds quite strange to me, windump and wireshark use the same
> underlying
> capture engine.
>
> Can you try capturing with both wireshark and windump at the same time,
> and
> send me the capture file with the number of the packet that is missing
> in
> the windump trace?
>
> Have a nice day
> GV
>
> ----- Original Message ----- 
> From: "Robert Jones" <RobertJ at cctexas.com>
> To: <windump at winpcap.org>
> Sent: Thursday, May 21, 2009 11:59 AM
> Subject: [Windump] RTP streams - uneven packet counts
>
>
>>I ran into difficulty when capturing with windump on a machine that
> is
>> seeing packets from a Cisco 7940 phone.  Opening up the dump file in
>> Wireshark afterwards (on the same machine, thus the same winpcap
>> version), there always seems to be a difference of one packet
> between
>> the forward and reverse RTP streams, which prevents Wireshark from
>> saving the payload out to a file.  If I capture with Wireshark, the
>> counts match.  I was wondering if this is a known issue, or if I can
>> provide some information to help isolate whether this is a bug that
> lies
>> within Windump or Wireshark.
>>
>> I'm using windump -i 2 -w dump -C 10
>> Pressing Ctrl+C to stop well after the call is finished
>> Opening up file in Wireshark (1.07 & 1.05 tested)
>> Using the stream analysis function under Analyze, RTP and attempting
> to
>> save the payload.
>>
>> Kind Regards,
>>
>> Bob Jones
>> Information Security Manager
>> City of Corpus Christi
>> _______________________________________________
>> Windump mailing list
>> Windump at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/windump
>

More information about the Windump mailing list