[cisco-voip] Nbar missing some RTP traffic
Jeffrey Ollie
jeff at ocjtech.us
Thu Apr 17 09:15:14 EDT 2008
On Thu, Apr 17, 2008 at 7:34 AM, Jorge L. Rodriguez Aguila
<jorge.rodriguez at netxar.com> wrote:
> That is correct. The RTP match is for even port numbers as Cisco uses even RTP ports in that range for voice payload and the corresponding odd ports for RTCP.
It's more complex than that. "match protocol rtp audio" looks at the
RTP payload type to determine what's RTP audio and video.
Unfortunately, it only "knows" about the audio and video payload types
defined in the RFCs:
http://www.cisco.com/en/US/products/ps6616/products_white_paper09186a0080110040.shtml#wp39290
If your VoIP traffic is negotiating dynamic RTP payload types in the
SIP SDP, which is necessary for some of the newer audio and video
codecs, "match protocol rtp audio" and "match protocol rtp video" will
not work. There are probably even some VoIP implementations that
negotiate dynamic RTP payload types for audio/video codecs that have
static payload types like G.711.
nBAR does not appear to parse SIP/SDPs to learn about dynamic RTP payload types.
Personally, this has made "match protocol rtp audio" and "match
protocol rtp video" useless for my needs.
> If you want to be extra sure you could convert your match-all voice class to match-any and add access-group XXX with an access-list XXX permit udp any any range 16384 32767 to pick up any packets the match RTP might miss.
That's not necessary when using "match protocol rtp" and in fact may
pick up unintended traffic (like matching RTP video traffic or just
about any other UDP traffic).
Jeff
More information about the cisco-voip
mailing list