See only a Sampling of RTP frames in a Wireshark Packet Capture

Question:

How do you make a display filter that filters out most RTP frames, but leaves a representative sample? Sometimes it’s convenient to see a sampling of RTP frames in Wireshark, without having to see 50 per second.

Answer:

Rather then see 50 frames per second for every RTP flow, how about one frame every 5 seconds?

Wireshark display filter:

rtp[3:1]==0 or rtp.marker==1

Shows an RTP packet for each RTP stream
— about every 5 seconds
— or when the stream starts afresh

How does it work?

  • The 3rd and 4th bytes of the RTP frame are sequence number
  • The sequence number increases monotonically (40704, 40705, 40706, etc.)
  • rtp[x:y] gives the Y-number of bytes that appear at X-offset in the RTP frame, where the first byte in the packet is at 0 offset
  • rtp[3:1] gives the 1 byte that appears in the 4th byte of the frame (see the “00” in attached screenshot). This is the least-significant byte of the number.
  • Normal VoIP RTP sends 1 frame every 20 millseconds
  • Since the RTP frame is a 2-byte value, then 1 out of every 256 frames will have a least-significant-byte value of 0
  • 256 [sequence numbers] * 20 ms = 5.12 seconds
  • I’m glossing over some details in the previous two points
  • Each time a new RTP flow starts, the sender should send an RTP frame with rtp.marker==1