RTP stands for Real-Time Protocol, which is a protocol that allows the transmission of streaming media over an IP-based network. The protocol determines how audio and video data will be encoded, transmitted, and packaged in data packets along with the information necessary to decode the data at its destination. The communication endpoints involved in an RTP session are called participants. The two participants in an RTP session are called the RTP sender and the RTP receiver.

Real-time Transport Protocol (RTP) in Wireshark:

Real-time Transport Protocol (RTP) is a network protocol that provides real-time audio and video communications, such as voice and video chat, over computer networks. This protocol works on top of the Transmission Control Protocol (TCP). Wireshark is a cross-platform packet analyzer used for troubleshooting and analyzing data packets traversing the network (in particular in order to capture or follow streams of digital data). It’s used by hundreds of thousands of organizations to implement IT security, network monitoring, development testing and curriculum.

The following section discusses how the RTP protocol is used by Wireshark. We will see how Wireshark can decode and view the protocol data on a network interface. The final section of this article will discuss configuring Wireshark to capture and decode RTP-based traffic. We will use a sample scenario to discuss the RTP communication process between two endpoints, that is participant A (sender) and participant B (receiver). The communication between the two participants is based on the Multicast RTP protocol which is a reliable protocol.

Let’s capture an RTP packet from participant A which contains a streaming video file. 

• Under the Wireshark menu, select Statistics | General Packet The general packet statistics window shows the fields and their respective values for a particular packet. For example, for an RTP data stream, we have the transport protocol (RTP) and media type (audio/video). 
• You will also see the time offset of current time in milliseconds and the byte count of all packets transmitted. 
• Let’s now send an audio file to participant B. Once we capture an audio file, we will see that there is an incoming UDP/IP protocol traffic that is being captured as part of this pcap file.
• Now, let’s look at the same general packet statistics window for this specific packet that we are interested in. If you scroll down to the bottom of the window, you will see that the RTP protocol is being used by both participants. 
• To decode and view more information about RTP communication, we need to do a deep analysis of packets involved in an RTP session. 
• We will use the same sample audio file which was sent to participant B. As part of this task, we will also explore how Wireshark decodes and views RTP-based traffic on a network interface.

Protocol Dependencies of RTP in Wireshark: 

The protocol dependencies of RTP include:

• Network access layer protocols, for example, Ethernet or frame relay.
• One or more transport protocols, for example, the TCP layer.
• One or more network layer protocols, for example, IPv4 or IPv6. A protocol such as UDP is used at this layer instead of a higher-layer protocol in cases where no acknowledgment is required (such as with RTP). The stream ID identifies a data stream through the network between two endpoints. 
• The optional ports carry source and destination port numbers when supported by the transport protocol used to create the stream.

Preference Settings of RTP in Wireshark:

There are some preferences that can be configured to improve the performance of Wireshark. These settings can be accessed by going to “ Edit→Preferences “.

• Interface: RTP is disabled on untrusted networks unless using SSL.
• Display: Limit each packet summary to only once per conversation. This is helpful if you have large capture files with lots of traffic toward one person or a few people (i.e., if you are doing long-term surveillance of someone). When this preference is disabled, Wireshark will show every packet several times for the same conversation, which can be very annoying when you have a lot of traffic and/or large capture files (i.e., several gigabytes).
• Apply the same text styling to all packets for a conversation: This is helpful if you want to process a large capture file and want to do some sort of processing/analysis on packet contents, as opposed to conversation metadata (who talked with whom when etc.). When disabled, you can apply different colors/fonts/etc. to different conversations. For example, if your capture file contains both conversations on the client side (e.g., IM) and server-side (e.g., HTTP), using a different font for each of them makes it easier to read the output of your processing script.

Countermeasures:

• Although Wireshark does not decode RTP natively, there are various ways in which you can use Wireshark to view or capture RTP packets.
• For example, you can set up your network interface so that it is a promiscuous mode, that is it will accept all traffic on the network interface. You can then use Wireshark to set a filter and also configure a capture filter.  You can also use the decapsulate-RTP plug-in to automatically decode an incoming RTP stream and display it in the GUI as soon as you scan its traffic on your network interface using Live Capture mode.