[cisco-voip] Nbar missing some RTP traffic
Jeffrey Ollie
jeff at ocjtech.us
Thu Apr 17 11:14:42 EDT 2008
On Thu, Apr 17, 2008 at 10:02 AM, Ellington, Chris
<Chris.Ellington at inin.com> wrote:
> It is a lot of ports, however if you look at something like wireshark it figures out the ports and maps them to RTP - generally -
That's because Wireshark is smart enough to watch the signalling
protocol and extract the RTP port numbers out of them. You can easily
see this by capturing a full phone conversation including the initial
signalling set up and by capturing only the middle and the end of a
conversation. Unless Wireshark captures the start of the conversation
it will display RTP traffic as undecoded UDP traffic.
nBAR isn't that smart, even if it sees the signalling that sets up the
RTP session.
> I also realize that video shares this port range, at least in Cisco implementations, and some deeper analysis will have to occur, potentially. I say potentially, because even with video don't you want to prioritize the audio path (because if the video gets distorted, nobody seems to mind, audio distortions are generally deemed unacceptable).
Umm... that's EXACTLY why you need to mark RTP audio and video traffic
differently. Audio traffic needs to get a higher priority or quality
will suffer. If you can't count on the source marking the RTP packets
properly (and nothing in between you and the source stripping the
markings) you have to do a deeper analysis than just matching on the
UDP port number.
Jeff
More information about the cisco-voip
mailing list