Question:
How do you make a display filter that filters out most RTP frames, but leaves a representative sample? Sometimes it's convenient to see a sampling of RTP frames in Wireshark, without having to see 50 per second.
Answer:
Rather then see 50 frames per second for every RTP flow, how about one frame every 5 seconds?
Wireshark display filter:
rtp[3:1]==0 or rtp.marker==1
Shows an RTP packet for each RTP stream
-- about every 5 seconds
-- or when the stream starts afresh
How does it work?
- The 3rd and 4th bytes of the RTP frame are sequence number
- The sequence number increases monotonically (40704, 40705, 40706, etc.)
- rtp[x:y] gives the Y-number of bytes that appear at X-offset in the RTP frame, where the first byte in the packet is at 0 offset
- rtp[3:1] gives the 1 byte that appears in the 4th byte of the frame (see the "00" in attached screenshot). This is the least-significant byte of the number.
- Normal VoIP RTP sends 1 frame every 20 millseconds
- Since the RTP frame is a 2-byte value, then 1 out of every 256 frames will have a least-significant-byte value of 0
- 256 [sequence numbers] * 20 ms = 5.12 seconds
- I'm glossing over some details in the previous two points
- Each time a new RTP flow starts, the sender should send an RTP frame with rtp.marker==1