ntop
Improve RTP detection
I guess it would be good to add a check for the 4-byte SSRC (Synchronization Source Identifier) field, which is present in all RTP packets and remains static throughout the session.
I don't think having static SSRC throughout the session is the case for all RTP sessions for example some apps has a session that starts as stun and then RTP packets where you can find different SSRCS in that session. also unless i misunderstood this part https://datatracker.ietf.org/doc/html/rfc3550#section-5.2 it's possible as per RFC 3550.
I don't think having static SSRC throughout the session is the case for all RTP sessions for example some apps has a session that starts as stun and then RTP packets where you can find different SSRCS in that session. also unless i misunderstood this part https://datatracker.ietf.org/doc/html/rfc3550#section-5.2 it's possible as per RFC 3550.
Do you have any pcap samples?
I don't think having static SSRC throughout the session is the case for all RTP sessions for example some apps has a session that starts as stun and then RTP packets where you can find different SSRCS in that session. also unless i misunderstood this part https://datatracker.ietf.org/doc/html/rfc3550#section-5.2 it's possible as per RFC 3550.
Do you have any pcap samples?
I don't have one, but I think you can see that by capturing a pcap for whastapp call for example.
I don't think having static SSRC throughout the session is the case for all RTP sessions for example some apps has a session that starts as stun and then RTP packets where you can find different SSRCS in that session. also unless i misunderstood this part https://datatracker.ietf.org/doc/html/rfc3550#section-5.2 it's possible as per RFC 3550.
Do you have any pcap samples?
I don't have one, but I think you can see that by capturing a pcap for whastapp call for example.
Ty, I'll try.