[Winpcap-users] VOIP [RTP]

john mcnicholas jomcn1 at gmail.com
Wed Mar 12 01:20:49 GMT 2008 

I'm glad its working and thanks for the info on voip.

Couple of comments: (the first 2 aren't important, but the 3rd seems more
significant)

1.
I suspect you are *NOT *concerned with porting your code to another OS or
machine
that has different byte order but if you were you need to be careful with
bit masks.
Here is a "typical" typedef you might see for the ip_header:


#if BYTE_ORDER == LITTLE_ENDIAN
     u_int    ip_hl:4,        /* header length */
             ip_v:4;            /* version */
#endif
#if BYTE_ORDER == BIG_ENDIAN
    u_int    ip_v:4,            /* version */
             ip_hl:4;        /* header length */
#endif

Needless to say if you are getting an ip header of 20 bytes (and not 16)
then your bit masks are in the proper order (for your operating system).

2. Note:
ntohs = "network" to "host" short
ntohl = "network" to "host" long

htons = "host" to "network" short
htonl = you get the idea...

Anyway, ntohX and htonX really do the same thing, so this is *very petty*,
since you
are reading from the network you want to use the "ntoh" set.  (you can
disregard this
comment, but it is something i'd like to know if i were in your shoes)

And if you're wondering why there are 2 versions- that seems like a
legitimate question to me too.

Oh yeah, *"do the same thing" *means swap the byte order -
i.e. 0x12 swapped becomes 0x21.
So assuming the host byte order is LITTLE ENDIAN - since the network is BIG
ENDIAN
then
513 = ntohs(258);      // 0x21 = ntohs(0x12)
513 = htons(258)

If byte order is the same then

258 = ntohs(258)

3.
The "htons" (or ntohs) is really a bit alarming on a *bit *field.

A structure that is "unsigned short padding : 1" really should have a value
of 0 to 1.

Applying ntohs ()  (on a little endian cpu) will result in a value of 0 or
256, which has to be wrong.

You have the data in front of you, so if it's working then maybe i'm crazy.

Anyway good luck and again thanks for the voip info.

john


On Tue, Mar 11, 2008 at 7:09 PM, TORKHANI Wajdi <wajdi.torkhani at laposte.net>
wrote:

>  thank you so so much :)
>
> I took your advice and I solved the problem number 3 :
> _______________________________________
> I- change Structure RTP header :
> struct rtphdr{
>  unsigned short CSRC_count:4;  // CSRC count
>  unsigned short extension:1;   // header extension flag
>  unsigned short padding:1;   // padding flag
>  unsigned short ver:2; // protocol version
>  unsigned short Payload:7;  // payload type
>  unsigned short Marker:1;   // marker bit
>  unsigned short Sequence;   // sequence number
>  unsigned int Timestamp;   // timestamp
>  unsigned int SSRC;   // synchronization source
>  //unsigned int csrc[1];  // optional CSRC list
> };
> _________________________
> II- replace : sizeof(struct iphdr) by (ip->ihl * 4)
> rtp=(struct rtphdr *)(pkt_data+(sizeof(struct ethhdr)+(ip->ihl *
> 4)+sizeof(struct udphdr)));
> ________________________
> III- htons and htonl :
>
> fprintf(stdout,"------------------------------------------------------\n");
> fprintf(stdout,"Version      : %d |\r\n",rtp->ver);
> fprintf(stdout,"Padding       : %.5d |\r\n",htons(rtp->padding));
> fprintf(stdout,"Extension       : %.5d |\r\n",htons(rtp->extension));
> fprintf(stdout,"CSRC_count       : %.5d |\r\n",htons(rtp->CSRC_count));
> fprintf(stdout,"Marker       : %.5d |\r\n",htons(rtp->Marker));
> fprintf(stdout,"Payload      : %d |\r\n",rtp->Payload);
> fprintf(stdout,"Sequence Number       : %u |\r\n",htons(rtp->Sequence));
> fprintf(stdout,"Timestamp       : %u |\r\n",htonl(rtp->Timestamp));
> fprintf(stdout,"Synchronization source       : %u
> |\r\n",htonl(rtp->SSRC));
> _____________________________
>
> For the first and second question i will give you more details maybe they
> can help  you to help me :P
> 1-I must create a voip sniffer (to capture communication VOIP on the LAN)
> and then to convert them into audio format.
> 2-regroup the paquet of a communication together to store it the bitstream
> format required by the decoder (voiceage G729).
> I succeeded in :
> preparing a sniffer in C++ (by using the library winpcap) (capture network
> traffic,filtre UDP trafic,Read ethernet,ip,udp  and RTP header)
> and  now i'm working on the bulding of the bitstream file.
>
>
> Thank you,
> Wajdi TORKHANI
>
> ----- Original Message -----
> *From:* Maria de Fatima Requena <MariaF.Requena at a-e.es>
> *To:* winpcap-users at winpcap.org
> *Sent:* Tuesday, March 11, 2008 8:23 AM
> *Subject:* RE: [Winpcap-users] VOIP [RTP]
>
>  Maybe the problem is byte order. If you take a look at wireshark
> examples, you will see instructions like ntohs, or some ones that apply bit
> masks, that do this change.
>
>
>
> On the other hand, once you have stopped reading packets, you can use
> tools to give the streams format. For example goldwave lets you determine
> the type of coding you need before opening the file. Anyway, you can
> manually add header format to your files.
>
>
>
> I hope this helps
>
>
>
> [image: http://www.alhambra-eidos.es/CO/11.gif]
>
> *María de Fátima Requena Cabot (2488)
> +34 91 787 23 00 alhambra-eidos.es*
>
>
>
>
>
> *De:* winpcap-users-bounces at winpcap.org [mailto:
> winpcap-users-bounces at winpcap.org] *En nombre de *Gianluca Varenni
> *Enviado el:* viernes, 07 de marzo de 2008 18:12
> *Para:* winpcap-users at winpcap.org
> *Asunto:* Re: [Winpcap-users] VOIP [RTP]
>
>
>
> I'm not an expert about RTP, so I cannot answer questions 1 and 2.
> Regarding 3, for sure there's something that "smells" in your code
>
> - you are assuming that you are always receiving UDP packets encapsulated
> over IPv4. Unless you are filtering the captured packets to make sure they
> are IPv4 and UDP, you should check the ethertype and the L3 protocol type.
>
> - you are assuming that the IP header has a fixed size (...sizeof(struct
> iphdr)...). This is not true. You need to compute the length of the IPv4
> header by looking at the first byte in the IP header itself.
>
>
>
> Hope it helps
>
> GV
>
>
>
>  ----- Original Message -----
>
> *From:* TORKHANI Wajdi <wajdi.torkhani at laposte.net>
>
> *To:* winpcap-users at winpcap.org
>
> *Sent:* Tuesday, March 04, 2008 2:40 PM
>
> *Subject:* [Winpcap-users] VOIP [RTP]
>
>
>
> Hi,
>
> I get the rtp packet from winpcap but i have the following problem:
>
> 1-how to regroup the paquet of a communication together to store it and
> apply the CODEC(G.729A)?
> 2-how detect the end of call ?!
> 3-I have a problem with reading the RTP header, below a part of my source
> code :
> ------------------
>
> Code:
>
>
>
> struct rtphdr{
>
> unsigned short ver:2 ;
> unsigned short padding:1;
> unsigned short extension:1 ;
> unsigned short CSRC_count:4 ;
> unsigned short Marker:1 ;
> unsigned short Payload :7 ;
> unsigned short Sequence ;// 16 bits
> unsigned int Timestamp;//32 bits
> unsigned int SSRC  ;//32 bits
> };
>
> --------------------
> Code:
>
> rtp=(struct rtphdr *)(pkt_data+(sizeof(struct ethhdr)+sizeof(struct
> iphdr)+sizeof(struct udphdr)));
>
> ---------------------------
>
> Code:
>
>
>
>
> fprintf(stdout,"------------------------------------------------------\n");
> fprintf(stdout,"Version      : %d |\r\n",rtp->ver);
> fprintf(stdout,"Padding       : %.5d |\r\n",htons(rtp->padding));
> fprintf(stdout,"Extension       : %.5d |\r\n",htons(rtp->extension));
> fprintf(stdout,"CSRC_count       : %.5d |\r\n",htons(rtp->CSRC_count));
> fprintf(stdout,"Marker       : %.5d |\r\n",htons(rtp->Marker));
> fprintf(stdout,"Payload      : %.5d |\r\n",htons(rtp->Payload));
> fprintf(stdout,"Sequence Number       : %.5d |\r\n",htons(rtp->Sequence));
> fprintf(stdout,"Timestamp       : %.5d |\r\n",htons(rtp->Timestamp));
> fprintf(stdout,"Synchronization source       : %.5d
> |\r\n",htons(rtp->SSRC));
> ------------------------
> Ethernet,IP and UDP header are correct.
> When i compare the result whith ethreal result i fin that only SSRC is
> correct !
> thank you.
> I'm sorry for my bad english
>
>
>
> TORKHANI Wajdi
>  ------------------------------
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
>  ------------------------------
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20080312/2f539a64/attachment-0001.htm

More information about the Winpcap-users mailing list