3 * Routines for RTP dissection
4 * RTP = Real time Transport Protocol
6 * Copyright 2000, Philips Electronics N.V.
7 * Written by Andreas Sikkema <h323@ramdyne.nl>
9 * $Id: packet-rtp.c,v 1.45 2004/02/14 22:48:53 guy Exp $
11 * Ethereal - Network traffic analyzer
12 * By Gerald Combs <gerald@ethereal.com>
13 * Copyright 1998 Gerald Combs
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version 2
18 * of the License, or (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
31 * This dissector tries to dissect the RTP protocol according to Annex A
32 * of ITU-T Recommendation H.225.0 (02/98) or RFC 1889
34 * RTP traffic is handled by an even UDP portnumber. This can be any
35 * port number, but there is a registered port available, port 5004
36 * See Annex B of ITU-T Recommendation H.225.0, section B.7
38 * This doesn't dissect older versions of RTP, such as:
40 * the vat protocol ("version 0") - see
42 * ftp://ftp.ee.lbl.gov/conferencing/vat/alpha-test/vatsrc-4.0b2.tar.gz
44 * and look in "session-vat.cc" if you want to write a dissector
45 * (have fun - there aren't any nice header files showing the packet
48 * version 1, as documented in
50 * ftp://gaia.cs.umass.edu/pub/hgschulz/rtp/draft-ietf-avt-rtp-04.txt
59 #include <epan/packet.h>
64 #include "packet-rtp.h"
66 #include <epan/conversation.h>
69 static int rtp_tap = -1;
71 static dissector_table_t rtp_pt_dissector_table;
73 /* RTP header fields */
74 static int proto_rtp = -1;
75 static int hf_rtp_version = -1;
76 static int hf_rtp_padding = -1;
77 static int hf_rtp_extension = -1;
78 static int hf_rtp_csrc_count = -1;
79 static int hf_rtp_marker = -1;
80 static int hf_rtp_payload_type = -1;
81 static int hf_rtp_seq_nr = -1;
82 static int hf_rtp_timestamp = -1;
83 static int hf_rtp_ssrc = -1;
84 static int hf_rtp_csrc_item = -1;
85 static int hf_rtp_data = -1;
86 static int hf_rtp_padding_data = -1;
87 static int hf_rtp_padding_count= -1;
89 /* RTP header extension fields */
90 static int hf_rtp_prof_define = -1;
91 static int hf_rtp_length = -1;
92 static int hf_rtp_hdr_ext = -1;
94 /* RTP fields defining a sub tree */
95 static gint ett_rtp = -1;
96 static gint ett_csrc_list = -1;
97 static gint ett_hdr_ext = -1;
99 static dissector_handle_t data_handle;
101 static gboolean dissect_rtp_heur( tvbuff_t *tvb, packet_info *pinfo,
103 static void dissect_rtp( tvbuff_t *tvb, packet_info *pinfo,
107 * Fields in the first octet of the RTP header.
110 /* Version is the first 2 bits of the first octet*/
111 #define RTP_VERSION(octet) ((octet) >> 6)
113 /* Padding is the third bit; No need to shift, because true is any value
115 #define RTP_PADDING(octet) ((octet) & 0x20)
117 /* Extension bit is the fourth bit */
118 #define RTP_EXTENSION(octet) ((octet) & 0x10)
120 /* CSRC count is the last four bits */
121 #define RTP_CSRC_COUNT(octet) ((octet) & 0xF)
123 static const value_string rtp_version_vals[] =
125 { 0, "Old VAT Version" },
126 { 1, "First Draft Version" },
127 { 2, "RFC 1889 Version" },
132 * Fields in the second octet of the RTP header.
135 /* Marker is the first bit of the second octet */
136 #define RTP_MARKER(octet) ((octet) & 0x80)
138 /* Payload type is the last 7 bits */
139 #define RTP_PAYLOAD_TYPE(octet) ((octet) & 0x7F)
141 static const value_string rtp_payload_type_vals[] =
143 { PT_PCMU, "ITU-T G.711 PCMU" },
144 { PT_1016, "USA Federal Standard FS-1016" },
145 { PT_G721, "ITU-T G.721" },
146 { PT_GSM, "GSM 06.10" },
147 { PT_G723, "ITU-T G.723" },
148 { PT_DVI4_8000, "DVI4 8000 samples/s" },
149 { PT_DVI4_16000, "DVI4 16000 samples/s" },
150 { PT_LPC, "Experimental linear predictive encoding from Xerox PARC" },
151 { PT_PCMA, "ITU-T G.711 PCMA" },
152 { PT_G722, "ITU-T G.722" },
153 { PT_L16_STEREO, "16-bit uncompressed audio, stereo" },
154 { PT_L16_MONO, "16-bit uncompressed audio, monaural" },
155 { PT_QCELP, "Qualcomm Code Excited Linear Predictive coding" },
156 { PT_CN, "Comfort noise" },
157 { PT_MPA, "MPEG-I/II Audio"},
158 { PT_G728, "ITU-T G.728" },
159 { PT_DVI4_11025, "DVI4 11025 samples/s" },
160 { PT_DVI4_22050, "DVI4 22050 samples/s" },
161 { PT_G729, "ITU-T G.729" },
162 { PT_CELB, "Sun CellB video encoding" },
163 { PT_JPEG, "JPEG-compressed video" },
164 { PT_NV, "'nv' program" },
165 { PT_H261, "ITU-T H.261" },
166 { PT_MPV, "MPEG-I/II Video"},
167 { PT_MP2T, "MPEG-II transport streams"},
168 { PT_H263, "ITU-T H.263" },
172 static address fake_addr;
173 static int heur_init = FALSE;
175 void rtp_add_address( packet_info *pinfo, const unsigned char* ip_addr,
179 conversation_t* pconv;
182 * If this isn't the first time this packet has been processed,
183 * we've already done this work, so we don't need to do it
186 if (pinfo->fd->flags.visited)
189 src_addr.type = AT_IPv4;
191 src_addr.data = ip_addr;
194 * The first time the function is called let the tcp dissector
195 * know that we're interested in traffic
198 heur_dissector_add( "udp", dissect_rtp_heur, proto_rtp );
203 * Check if the ip address an dport combination is not
206 pconv = find_conversation( &src_addr, &fake_addr, PT_UDP, prt, 0, 0 );
210 * XXX - use wildcard address and port B?
213 pconv = conversation_new( &src_addr, &fake_addr, PT_UDP,
214 (guint32) prt, (guint32) 0, 0 );
215 conversation_add_proto_data(pconv, proto_rtp, NULL);
221 static void rtp_init( void )
223 unsigned char* tmp_data;
226 /* Create a fake adddress... */
227 fake_addr.type = AT_IPv4;
230 tmp_data = malloc( fake_addr.len );
231 for ( i = 0; i < fake_addr.len; i++) {
234 fake_addr.data = tmp_data;
239 dissect_rtp_heur( tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree )
241 conversation_t* pconv;
243 /* This is a heuristic dissector, which means we get all the TCP
244 * traffic not sent to a known dissector and not claimed by
245 * a heuristic dissector called before us!
246 * So we first check if the frame is really meant for us.
248 if ( ( pconv = find_conversation( &pinfo->src, &fake_addr, pinfo->ptype,
249 pinfo->srcport, 0, 0 ) ) == NULL ) {
251 * The source ip:port combination was not what we were
252 * looking for, check the destination
254 if ( ( pconv = find_conversation( &pinfo->dst, &fake_addr,
255 pinfo->ptype, pinfo->destport, 0, 0 ) ) == NULL ) {
261 * An RTP conversation always has a data item for RTP.
262 * (Its existence is sufficient to indicate that this is an RTP
265 if (conversation_get_proto_data(pconv, proto_rtp) == NULL)
268 dissect_rtp( tvb, pinfo, tree );
274 dissect_rtp_data( tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
275 proto_tree *rtp_tree, int offset, unsigned int data_len,
276 unsigned int data_reported_len, unsigned int payload_type )
280 newtvb = tvb_new_subset( tvb, offset, data_len, data_reported_len );
281 if (!dissector_try_port(rtp_pt_dissector_table, payload_type, newtvb,
283 proto_tree_add_item( rtp_tree, hf_rtp_data, newtvb, 0, -1, FALSE );
287 dissect_rtp( tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree )
289 proto_item *ti = NULL;
290 proto_tree *rtp_tree = NULL;
291 proto_tree *rtp_csrc_tree = NULL;
292 guint8 octet1, octet2;
293 unsigned int version;
294 gboolean padding_set;
295 gboolean extension_set;
296 unsigned int csrc_count;
298 unsigned int payload_type;
300 unsigned int hdr_extension= 0;
301 unsigned int padding_count;
302 gint length, reported_length;
304 unsigned int offset = 0;
310 static struct _rtp_info rtp_info;
312 /* Get the fields in the first octet */
313 octet1 = tvb_get_guint8( tvb, offset );
314 version = RTP_VERSION( octet1 );
318 * Unknown or unsupported version.
320 if ( check_col( pinfo->cinfo, COL_PROTOCOL ) ) {
321 col_set_str( pinfo->cinfo, COL_PROTOCOL, "RTP" );
324 if ( check_col( pinfo->cinfo, COL_INFO) ) {
325 col_add_fstr( pinfo->cinfo, COL_INFO,
326 "Unknown RTP version %u", version);
330 ti = proto_tree_add_item( tree, proto_rtp, tvb, offset, -1, FALSE );
331 rtp_tree = proto_item_add_subtree( ti, ett_rtp );
333 proto_tree_add_uint( rtp_tree, hf_rtp_version, tvb,
339 padding_set = RTP_PADDING( octet1 );
340 extension_set = RTP_EXTENSION( octet1 );
341 csrc_count = RTP_CSRC_COUNT( octet1 );
343 /* Get the fields in the second octet */
344 octet2 = tvb_get_guint8( tvb, offset + 1 );
345 marker_set = RTP_MARKER( octet2 );
346 payload_type = RTP_PAYLOAD_TYPE( octet2 );
348 /* Get the subsequent fields */
349 seq_num = tvb_get_ntohs( tvb, offset + 2 );
350 timestamp = tvb_get_ntohl( tvb, offset + 4 );
351 sync_src = tvb_get_ntohl( tvb, offset + 8 );
353 /* fill in the rtp_info structure */
354 rtp_info.info_padding_set = padding_set;
355 rtp_info.info_padding_count = 0;
356 rtp_info.info_marker_set = marker_set;
357 rtp_info.info_payload_type = payload_type;
358 rtp_info.info_seq_num = seq_num;
359 rtp_info.info_timestamp = timestamp;
360 rtp_info.info_sync_src = sync_src;
363 * Do we have all the data?
365 length = tvb_length_remaining(tvb, offset);
366 reported_length = tvb_reported_length_remaining(tvb, offset);
367 if (reported_length >= 0 && length >= reported_length) {
371 rtp_info.info_all_data_present = TRUE;
372 rtp_info.info_data_len = reported_length;
375 * Save the pointer to raw rtp data (header + payload incl.
377 * That should be safe because the "epan_dissect_t"
378 * constructed for the packet has not yet been freed when
379 * the taps are called.
380 * (Destroying the "epan_dissect_t" will end up freeing
381 * all the tvbuffs and hence invalidating pointers to
383 * See "add_packet_to_packet_list()" for details.
385 rtp_info.info_data = tvb_get_ptr(tvb, 0, -1);
388 * No - packet was cut short at capture time.
390 rtp_info.info_all_data_present = FALSE;
391 rtp_info.info_data_len = 0;
392 rtp_info.info_data = NULL;
395 if ( check_col( pinfo->cinfo, COL_PROTOCOL ) ) {
396 col_set_str( pinfo->cinfo, COL_PROTOCOL, "RTP" );
399 if ( check_col( pinfo->cinfo, COL_INFO) ) {
400 col_add_fstr( pinfo->cinfo, COL_INFO,
401 "Payload type=%s, SSRC=%u, Seq=%u, Time=%u%s",
402 val_to_str( payload_type, rtp_payload_type_vals,
407 marker_set ? ", Mark" : "");
410 ti = proto_tree_add_item( tree, proto_rtp, tvb, offset, -1, FALSE );
411 rtp_tree = proto_item_add_subtree( ti, ett_rtp );
413 proto_tree_add_uint( rtp_tree, hf_rtp_version, tvb,
415 proto_tree_add_boolean( rtp_tree, hf_rtp_padding, tvb,
417 proto_tree_add_boolean( rtp_tree, hf_rtp_extension, tvb,
419 proto_tree_add_uint( rtp_tree, hf_rtp_csrc_count, tvb,
423 proto_tree_add_boolean( rtp_tree, hf_rtp_marker, tvb, offset,
425 proto_tree_add_uint( rtp_tree, hf_rtp_payload_type, tvb,
429 /* Sequence number 16 bits (2 octets) */
430 proto_tree_add_uint( rtp_tree, hf_rtp_seq_nr, tvb, offset, 2, seq_num );
433 /* Timestamp 32 bits (4 octets) */
434 proto_tree_add_uint( rtp_tree, hf_rtp_timestamp, tvb, offset, 4, timestamp );
437 /* Synchronization source identifier 32 bits (4 octets) */
438 proto_tree_add_uint( rtp_tree, hf_rtp_ssrc, tvb, offset, 4, sync_src );
444 if ( csrc_count > 0 ) {
446 ti = proto_tree_add_text(rtp_tree, tvb, offset, csrc_count * 4, "Contributing Source identifiers");
447 rtp_csrc_tree = proto_item_add_subtree( ti, ett_csrc_list );
449 for (i = 0; i < csrc_count; i++ ) {
450 csrc_item = tvb_get_ntohl( tvb, offset );
451 if ( tree ) proto_tree_add_uint_format( rtp_csrc_tree,
452 hf_rtp_csrc_item, tvb, offset, 4,
460 /* Optional RTP header extension */
461 if ( extension_set ) {
462 /* Defined by profile field is 16 bits (2 octets) */
463 if ( tree ) proto_tree_add_uint( rtp_tree, hf_rtp_prof_define, tvb, offset, 2, tvb_get_ntohs( tvb, offset ) );
466 hdr_extension = tvb_get_ntohs( tvb, offset );
467 if ( tree ) proto_tree_add_uint( rtp_tree, hf_rtp_length, tvb,
468 offset, 2, hdr_extension);
470 if ( hdr_extension > 0 ) {
472 ti = proto_tree_add_text(rtp_tree, tvb, offset, csrc_count * 4, "Header extensions");
473 /* I'm re-using the old tree variable here
474 from the CSRC list!*/
475 rtp_csrc_tree = proto_item_add_subtree( ti,
478 for (i = 0; i < hdr_extension; i++ ) {
479 if ( tree ) proto_tree_add_uint( rtp_csrc_tree, hf_rtp_hdr_ext, tvb, offset, 4, tvb_get_ntohl( tvb, offset ) );
487 * This RTP frame has padding - find it.
489 * The padding count is found in the LAST octet of
490 * the packet; it contains the number of octets
491 * that can be ignored at the end of the packet.
493 if (tvb_length(tvb) < tvb_reported_length(tvb)) {
495 * We don't *have* the last octet of the
496 * packet, so we can't get the padding
499 * Put an indication of that into the
500 * tree, and just put in a raw data
503 if ( tree ) proto_tree_add_text(rtp_tree, tvb, 0, 0,
504 "Frame has padding, but not all the frame data was captured");
505 call_dissector(data_handle,
506 tvb_new_subset(tvb, offset, -1, -1),
511 padding_count = tvb_get_guint8( tvb,
512 tvb_reported_length( tvb ) - 1 );
514 tvb_reported_length_remaining( tvb, offset ) - padding_count;
516 rtp_info.info_payload_offset = offset;
517 rtp_info.info_payload_len = tvb_length_remaining(tvb, offset);
518 rtp_info.info_padding_count = padding_count;
522 * There's data left over when you take out
523 * the padding; dissect it.
525 dissect_rtp_data( tvb, pinfo, tree, rtp_tree,
531 } else if (data_len < 0) {
533 * The padding count is bigger than the
534 * amount of RTP payload in the packet!
535 * Clip the padding count.
537 * XXX - put an item in the tree to indicate
538 * that the padding count is bogus?
541 tvb_reported_length_remaining(tvb, offset);
543 if (padding_count > 1) {
545 * There's more than one byte of padding;
546 * show all but the last byte as padding
549 if ( tree ) proto_tree_add_item( rtp_tree, hf_rtp_padding_data,
550 tvb, offset, padding_count - 1, FALSE );
551 offset += padding_count - 1;
554 * Show the last byte in the PDU as the padding
557 if ( tree ) proto_tree_add_item( rtp_tree, hf_rtp_padding_count,
558 tvb, offset, 1, FALSE );
564 dissect_rtp_data( tvb, pinfo, tree, rtp_tree, offset,
565 tvb_length_remaining( tvb, offset ),
566 tvb_reported_length_remaining( tvb, offset ),
568 rtp_info.info_payload_offset = offset;
569 rtp_info.info_payload_len = tvb_length_remaining(tvb, offset);
571 if (!pinfo->in_error_pkt)
572 tap_queue_packet(rtp_tap, pinfo, &rtp_info);
576 proto_register_rtp(void)
578 static hf_register_info hf[] =
587 VALS(rtp_version_vals),
619 "Contributing source identifiers count",
641 &hf_rtp_payload_type,
647 VALS(rtp_payload_type_vals),
679 "Synchronization Source identifier",
691 "Defined by profile",
749 &hf_rtp_padding_data,
761 &hf_rtp_padding_count,
782 proto_rtp = proto_register_protocol("Real-Time Transport Protocol",
784 proto_register_field_array(proto_rtp, hf, array_length(hf));
785 proto_register_subtree_array(ett, array_length(ett));
787 register_dissector("rtp", dissect_rtp, proto_rtp);
788 rtp_tap = register_tap("rtp");
790 rtp_pt_dissector_table = register_dissector_table("rtp.pt",
791 "RTP payload type", FT_UINT8, BASE_DEC);
794 register_init_routine( &rtp_init );
799 proto_reg_handoff_rtp(void)
801 dissector_handle_t rtp_handle;
803 data_handle = find_dissector("data");
806 * Register this dissector as one that can be selected by a
809 rtp_handle = find_dissector("rtp");
810 dissector_add_handle("udp.port", rtp_handle);