3 * Routines for RTP dissection
4 * RTP = Real time Transport Protocol
6 * Copyright 2000, Philips Electronics N.V.
7 * Written by Andreas Sikkema <andreas.sikkema@philips.com>
9 * $Id: packet-rtp.c,v 1.33 2002/01/24 09:20:51 guy Exp $
11 * Ethereal - Network traffic analyzer
12 * By Gerald Combs <gerald@ethereal.com>
13 * Copyright 1998 Gerald Combs
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version 2
18 * of the License, or (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 * This dissector tries to dissect the RTP protocol according to Annex A
32 * of ITU-T Recommendation H.225.0 (02/98) or RFC 1889
34 * RTP traffic is handled by an even UDP portnumber. This can be any
35 * port number, but there is a registered port available, port 5004
36 * See Annex B of ITU-T Recommendation H.225.0, section B.7
38 * This doesn't dissect older versions of RTP, such as:
40 * the vat protocol ("version 0") - see
42 * ftp://ftp.ee.lbl.gov/conferencing/vat/alpha-test/vatsrc-4.0b2.tar.gz
44 * and look in "session-vat.cc" if you want to write a dissector
45 * (have fun - there aren't any nice header files showing the packet
48 * version 1, as documented in
50 * ftp://gaia.cs.umass.edu/pub/hgschulz/rtp/draft-ietf-avt-rtp-04.txt
59 #include <epan/packet.h>
61 #ifdef HAVE_SYS_TYPES_H
62 # include <sys/types.h>
65 #ifdef HAVE_NETINET_IN_H
66 # include <netinet/in.h>
72 #include "packet-rtp.h"
73 #include <epan/conversation.h>
75 /* RTP header fields */
76 static int proto_rtp = -1;
77 static int hf_rtp_version = -1;
78 static int hf_rtp_padding = -1;
79 static int hf_rtp_extension = -1;
80 static int hf_rtp_csrc_count = -1;
81 static int hf_rtp_marker = -1;
82 static int hf_rtp_payload_type = -1;
83 static int hf_rtp_seq_nr = -1;
84 static int hf_rtp_timestamp = -1;
85 static int hf_rtp_ssrc = -1;
86 static int hf_rtp_csrc_item = -1;
87 static int hf_rtp_data = -1;
88 static int hf_rtp_padding_data = -1;
89 static int hf_rtp_padding_count= -1;
91 /* RTP header extension fields */
92 static int hf_rtp_prof_define = -1;
93 static int hf_rtp_length = -1;
94 static int hf_rtp_hdr_ext = -1;
96 /* RTP fields defining a sub tree */
97 static gint ett_rtp = -1;
98 static gint ett_csrc_list = -1;
99 static gint ett_hdr_ext = -1;
101 static dissector_handle_t h261_handle;
102 static dissector_handle_t mpeg1_handle;
103 static dissector_handle_t data_handle;
105 static gboolean dissect_rtp_heur( tvbuff_t *tvb, packet_info *pinfo,
107 static void dissect_rtp( tvbuff_t *tvb, packet_info *pinfo,
111 * Fields in the first octet of the RTP header.
114 /* Version is the first 2 bits of the first octet*/
115 #define RTP_VERSION(octet) ((octet) >> 6)
117 /* Padding is the third bit; No need to shift, because true is any value
119 #define RTP_PADDING(octet) ((octet) & 0x20)
121 /* Extension bit is the fourth bit */
122 #define RTP_EXTENSION(octet) ((octet) & 0x10)
124 /* CSRC count is the last four bits */
125 #define RTP_CSRC_COUNT(octet) ((octet) & 0xF)
127 static const value_string rtp_version_vals[] =
129 { 0, "Old VAT Version" },
130 { 1, "First Draft Version" },
131 { 2, "RFC 1889 Version" },
136 * Fields in the second octet of the RTP header.
139 /* Marker is the first bit of the second octet */
140 #define RTP_MARKER(octet) ((octet) & 0x80)
142 /* Payload type is the last 7 bits */
143 #define RTP_PAYLOAD_TYPE(octet) ((octet) & 0x7F)
147 * Table B.2 / H.225.0
155 #define PT_DVI4_8000 5
156 #define PT_DVI4_16000 6
160 #define PT_L16_STEREO 10
161 #define PT_L16_MONO 11
173 static const value_string rtp_payload_type_vals[] =
175 { PT_PCMU, "ITU-T G.711 PCMU" },
176 { PT_1016, "USA Federal Standard FS-1016" },
177 { PT_G721, "ITU-T G.721" },
178 { PT_GSM, "GSM 06.10" },
179 { PT_G723, "ITU-T G.723" },
180 { PT_DVI4_8000, "DVI4 8000 samples/s" },
181 { PT_DVI4_16000, "DVI4 16000 samples/s" },
183 { PT_PCMA, "ITU-T G.711 PCMA" },
184 { PT_G722, "ITU-T G.722" },
185 { PT_L16_STEREO, "16-bit uncompressed audio, stereo" },
186 { PT_L16_MONO, "16-bit uncompressed audio, monaural" },
187 { PT_MPA, "MPEG-I/II Audeo"},
188 { PT_G728, "ITU-T G.728" },
189 { PT_G729, "ITU-T G.729" },
190 { PT_CELB, "Sun CELL-B" },
192 { PT_NV, "'nv' program" },
193 { PT_H261, "ITU-T H.261" },
194 { PT_MPV, "MPEG-I/II Video"},
195 { PT_MP2T, "MPEG-II transport streams"},
196 { PT_H263, "ITU-T H.263" },
200 static address fake_addr;
201 static int heur_init = FALSE;
203 void rtp_add_address( packet_info *pinfo, const unsigned char* ip_addr,
207 conversation_t* pconv;
210 * If this isn't the first time this packet has been processed,
211 * we've already done this work, so we don't need to do it
214 if (pinfo->fd->flags.visited)
217 src_addr.type = AT_IPv4;
219 src_addr.data = ip_addr;
222 * The first time the function is called let the tcp dissector
223 * know that we're interested in traffic
226 heur_dissector_add( "udp", dissect_rtp_heur, proto_rtp );
231 * Check if the ip address an dport combination is not
234 pconv = find_conversation( &src_addr, &fake_addr, PT_UDP, prt, 0, 0 );
238 * XXX - use wildcard address and port B?
241 pconv = conversation_new( &src_addr, &fake_addr, PT_UDP,
242 (guint32) prt, (guint32) 0, 0 );
243 conversation_add_proto_data(pconv, proto_rtp, NULL);
249 static void rtp_init( void )
251 unsigned char* tmp_data;
254 /* Create a fake adddress... */
255 fake_addr.type = AT_IPv4;
258 tmp_data = malloc( fake_addr.len );
259 for ( i = 0; i < fake_addr.len; i++) {
262 fake_addr.data = tmp_data;
267 dissect_rtp_heur( tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree )
269 conversation_t* pconv;
271 /* This is a heuristic dissector, which means we get all the TCP
272 * traffic not sent to a known dissector and not claimed by
273 * a heuristic dissector called before us!
274 * So we first check if the frame is really meant for us.
276 if ( ( pconv = find_conversation( &pinfo->src, &fake_addr, pinfo->ptype,
277 pinfo->srcport, 0, 0 ) ) == NULL ) {
279 * The source ip:port combination was not what we were
280 * looking for, check the destination
282 if ( ( pconv = find_conversation( &pinfo->dst, &fake_addr,
283 pinfo->ptype, pinfo->destport, 0, 0 ) ) == NULL ) {
289 * An RTP conversation always has a data item for RTP.
290 * (Its existence is sufficient to indicate that this is an RTP
293 if (conversation_get_proto_data(pconv, proto_rtp) == NULL)
296 dissect_rtp( tvb, pinfo, tree );
302 dissect_rtp_data( tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
303 proto_tree *rtp_tree, int offset, unsigned int data_len,
304 unsigned int data_reported_len, unsigned int payload_type )
308 switch( payload_type ) {
310 newtvb = tvb_new_subset( tvb, offset, data_len,
312 call_dissector(h261_handle, newtvb, pinfo, tree);
316 newtvb = tvb_new_subset( tvb, offset, data_len,
318 call_dissector(mpeg1_handle, newtvb, pinfo, tree);
322 proto_tree_add_item( rtp_tree, hf_rtp_data, tvb, offset, data_len, FALSE );
328 dissect_rtp( tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree )
330 proto_item *ti = NULL;
331 proto_tree *rtp_tree = NULL;
332 proto_tree *rtp_csrc_tree = NULL;
334 unsigned int version;
335 gboolean padding_set;
336 gboolean extension_set;
337 unsigned int csrc_count;
339 unsigned int payload_type;
341 unsigned int hdr_extension= 0;
342 unsigned int padding_count;
344 unsigned int offset = 0;
350 /* Get the fields in the first octet */
351 octet = tvb_get_guint8( tvb, offset );
352 version = RTP_VERSION( octet );
356 * Unknown or unsupported version.
358 if ( check_col( pinfo->cinfo, COL_PROTOCOL ) ) {
359 col_set_str( pinfo->cinfo, COL_PROTOCOL, "RTP" );
362 if ( check_col( pinfo->cinfo, COL_INFO) ) {
363 col_add_fstr( pinfo->cinfo, COL_INFO,
364 "Unknown RTP version %u", version);
368 ti = proto_tree_add_item( tree, proto_rtp, tvb, offset, -1, FALSE );
369 rtp_tree = proto_item_add_subtree( ti, ett_rtp );
371 proto_tree_add_uint( rtp_tree, hf_rtp_version, tvb,
372 offset, 1, version );
377 padding_set = RTP_PADDING( octet );
378 extension_set = RTP_EXTENSION( octet );
379 csrc_count = RTP_CSRC_COUNT( octet );
381 /* Get the fields in the second octet */
382 octet = tvb_get_guint8( tvb, offset + 1 );
383 marker_set = RTP_MARKER( octet );
384 payload_type = RTP_PAYLOAD_TYPE( octet );
386 /* Get the subsequent fields */
387 seq_num = tvb_get_ntohs( tvb, offset + 2 );
388 timestamp = tvb_get_ntohl( tvb, offset + 4 );
389 sync_src = tvb_get_ntohl( tvb, offset + 8 );
391 if ( check_col( pinfo->cinfo, COL_PROTOCOL ) ) {
392 col_set_str( pinfo->cinfo, COL_PROTOCOL, "RTP" );
395 if ( check_col( pinfo->cinfo, COL_INFO) ) {
396 col_add_fstr( pinfo->cinfo, COL_INFO,
397 "Payload type=%s, SSRC=%u, Seq=%u, Time=%u%s",
398 val_to_str( payload_type, rtp_payload_type_vals,
403 marker_set ? ", Mark" : "");
407 ti = proto_tree_add_item( tree, proto_rtp, tvb, offset, -1, FALSE );
408 rtp_tree = proto_item_add_subtree( ti, ett_rtp );
410 proto_tree_add_uint( rtp_tree, hf_rtp_version, tvb,
411 offset, 1, version );
412 proto_tree_add_boolean( rtp_tree, hf_rtp_padding, tvb,
413 offset, 1, padding_set );
414 proto_tree_add_boolean( rtp_tree, hf_rtp_extension, tvb,
415 offset, 1, extension_set );
416 proto_tree_add_uint( rtp_tree, hf_rtp_csrc_count, tvb,
417 offset, 1, csrc_count );
420 proto_tree_add_boolean( rtp_tree, hf_rtp_marker, tvb, offset,
422 proto_tree_add_uint( rtp_tree, hf_rtp_payload_type, tvb,
423 offset, 1, payload_type );
426 /* Sequence number 16 bits (2 octets) */
427 proto_tree_add_uint( rtp_tree, hf_rtp_seq_nr, tvb, offset, 2, seq_num );
430 /* Timestamp 32 bits (4 octets) */
431 proto_tree_add_uint( rtp_tree, hf_rtp_timestamp, tvb, offset, 4, timestamp );
434 /* Synchronization source identifier 32 bits (4 octets) */
435 proto_tree_add_uint( rtp_tree, hf_rtp_ssrc, tvb, offset, 4, sync_src );
439 if ( csrc_count > 0 ) {
440 ti = proto_tree_add_text(rtp_tree, tvb, offset, csrc_count * 4, "Contributing Source identifiers");
441 rtp_csrc_tree = proto_item_add_subtree( ti, ett_csrc_list );
442 for (i = 0; i < csrc_count; i++ ) {
443 csrc_item = tvb_get_ntohl( tvb, offset );
444 proto_tree_add_uint_format( rtp_csrc_tree,
445 hf_rtp_csrc_item, tvb, offset, 4,
453 /* Optional RTP header extension */
454 if ( extension_set ) {
455 /* Defined by profile field is 16 bits (2 octets) */
456 proto_tree_add_uint( rtp_tree, hf_rtp_prof_define, tvb, offset, 2, tvb_get_ntohs( tvb, offset ) );
459 hdr_extension = tvb_get_ntohs( tvb, offset );
460 proto_tree_add_uint( rtp_tree, hf_rtp_length, tvb,
461 offset, 2, hdr_extension);
463 if ( hdr_extension > 0 ) {
464 ti = proto_tree_add_text(rtp_tree, tvb, offset, csrc_count * 4, "Header extensions");
465 /* I'm re-using the old tree variable here
466 from the CSRC list!*/
467 rtp_csrc_tree = proto_item_add_subtree( ti,
469 for (i = 0; i < hdr_extension; i++ ) {
470 proto_tree_add_uint( rtp_csrc_tree, hf_rtp_hdr_ext, tvb, offset, 4, tvb_get_ntohl( tvb, offset ) );
478 * This RTP frame has padding - find it.
480 * The padding count is found in the LAST octet of
481 * the packet; it contains the number of octets
482 * that can be ignored at the end of the packet.
484 if (tvb_length(tvb) < tvb_reported_length(tvb)) {
486 * We don't *have* the last octet of the
487 * packet, so we can't get the padding
490 * Put an indication of that into the
491 * tree, and just put in a raw data
494 proto_tree_add_text(rtp_tree, tvb, 0, 0,
495 "Frame has padding, but not all the frame data was captured");
496 call_dissector(data_handle,tvb_new_subset(tvb, offset,-1,tvb_reported_length_remaining(tvb,offset)), pinfo, rtp_tree);
500 padding_count = tvb_get_guint8( tvb,
501 tvb_reported_length( tvb ) - 1 );
503 tvb_reported_length_remaining( tvb, offset ) - padding_count;
506 * There's data left over when you take out
507 * the padding; dissect it.
509 dissect_rtp_data( tvb, pinfo, tree, rtp_tree,
515 } else if (data_len < 0) {
517 * The padding count is bigger than the
518 * amount of RTP payload in the packet!
519 * Clip the padding count.
521 * XXX - put an item in the tree to indicate
522 * that the padding count is bogus?
525 tvb_reported_length_remaining(tvb, offset);
527 if (padding_count > 1) {
529 * There's more than one byte of padding;
530 * show all but the last byte as padding
533 proto_tree_add_item( rtp_tree, hf_rtp_padding_data,
534 tvb, offset, padding_count - 1, FALSE );
535 offset += padding_count - 1;
538 * Show the last byte in the PDU as the padding
541 proto_tree_add_item( rtp_tree, hf_rtp_padding_count,
542 tvb, offset, 1, FALSE );
548 dissect_rtp_data( tvb, pinfo, tree, rtp_tree, offset,
549 tvb_length_remaining( tvb, offset ),
550 tvb_reported_length_remaining( tvb, offset ),
557 proto_register_rtp(void)
559 static hf_register_info hf[] =
568 VALS(rtp_version_vals),
600 "Contributing source identifiers count",
622 &hf_rtp_payload_type,
628 VALS(rtp_payload_type_vals),
660 "Synchronization Source identifier",
672 "Defined by profile",
730 &hf_rtp_padding_data,
742 &hf_rtp_padding_count,
763 proto_rtp = proto_register_protocol("Real-Time Transport Protocol",
765 proto_register_field_array(proto_rtp, hf, array_length(hf));
766 proto_register_subtree_array(ett, array_length(ett));
768 register_dissector("rtp", dissect_rtp, proto_rtp);
771 register_init_routine( &rtp_init );
776 proto_reg_handoff_rtp(void)
778 dissector_handle_t rtp_handle;
781 * Get handles for the H.261 and MPEG-1 dissectors.
783 h261_handle = find_dissector("h261");
784 mpeg1_handle = find_dissector("mpeg1");
785 data_handle = find_dissector("data");
788 * Register this dissector as one that can be selected by a
791 rtp_handle = find_dissector("rtp");
792 dissector_add_handle("udp.port", rtp_handle);