[VOIPSEC] RTP packet signature

Haluska, John J jhaluska at telcordia.com
Wed Oct 5 13:52:31 BST 2005 

Of course almost anything is  possible. In general, it would be very
difficult to determine without any context whether a single packet
contains RTP.

 

The only field you can really count on is the RTP version field, pretty
much anything else can change. And this  is  a very small field, the
chances of any random packet matching that value at that offset in the
UDP header  is pretty good anyway,

 

The ports used for RTP are negotiated dynamically, so it's not possible
(without context) to know even which port number to look for.

 

With context, it is possible, but not simple. So a single packet would
tell nothing. But if you look for a stream, with packets sent at
periodic intervals (usually 10 or 20 msec for pcm type codecs), and see
appropriately incrementing values in the offsets where the RTP
timestamps and sequence numbers belong, and a constant  value where  the
SSRC belongs, and yu have some reason to think there could be  an RTP
stream here, then you've got a start.

 

There are other clues too, like the presence of sparse traffic at udp
port number + 1, which would be RTCP, you could analyze these packets
(if they exist) and correlate the  information here with that in the
suspected RTP stream.

 

In my experience I have seen that certain endpoint always use the same
UDP port numbers for RTP streams, if you have the context of knowing the
endpoints then you might also be able to use this information.  Also, if
the particular endpoints always use the same SSRC (it is supposed to be
randomly chosen but this may not always be done) then you can look at
this too. But again this requires that you know in advance what you are
looking at, so in general this cannot be used.

 

But this is only to determine that you do in fact have RTP, not sure
what you intend to do with it. If they are using dynamic payload types
as recommended by the RFCs, then you cannot in general know the codec
from the payload type, you need to guess or play trial and error with
different codecs. 

 

So, for a single packet, there is really no signature you can reliably
count on. With enough context and processing, you can do it. All this of
course  applies just to RFC  3550 RTP sent in the clear. 

 

 

 

John Haluska

 

 

 

 

Message: 3

Date: Tue, 4 Oct 2005 16:53:32 +0200

From: Marc.JACOBS at etca.alcatel.be

Subject: [VOIPSEC] RTP packet signature

To: Voipsec at voipsa.org

Message-ID:

 
<OF377A4B83.D2232863-ONC1257090.0050CD02-C1257090.0051CE77 at etca.alcatel.
be>

      

Content-Type: text/plain; charset="us-ascii"

 

Dear all,

Is there a means to know either an UDP/TCP packet encapsulates a
RTP/RTCP 

packet or not without using the signaling protocols (SIP, H323, ...) ?
In 

other words, how can I identify a RTP packet on-the-fly without having 

access to the signaling protocol ?

Thanks,

Marc

More information about the Voipsec mailing list