topic Incomplete Pcap - RTP in General Topics https://live.paloaltonetworks.com/t5/general-topics/incomplete-pcap-rtp/m-p/332458#M84050 <P>We are performing a pcap on our Firewall. We are capturing all traffic between two different Cidr's.<BR />We see all of the sip information. We see full bi-directional traffic. We then see 2 RTP packets for each call then nothing else in the capture. The packets are not dropping,&nbsp;We know RTP is indeed making it because there is no problem with the audio on the other side.</P><P>&nbsp;</P><P>Why is it not capturing all RTP?&nbsp; In wireshark if you do telephony -&gt; voip calls all the ladders are right. we have everything we would expect from SIP/SDP and then we have 2 rtp packets and no other RTP. this is the same on a Transmit, Recieve, Firewall capture. If you do a rtp-&gt;view streams you only see 2 packets per stream and there are hundreds of successful calls.</P><P>&nbsp;</P><P>Does a PA only sample rtp on the plane that a pcap is performed at and fast tracks it? can someone explain this behavior?</P> Tue, 09 Jun 2020 00:27:39 GMT jon.swick 2020-06-09T00:27:39Z Incomplete Pcap - RTP https://live.paloaltonetworks.com/t5/general-topics/incomplete-pcap-rtp/m-p/332458#M84050 <P>We are performing a pcap on our Firewall. We are capturing all traffic between two different Cidr's.<BR />We see all of the sip information. We see full bi-directional traffic. We then see 2 RTP packets for each call then nothing else in the capture. The packets are not dropping,&nbsp;We know RTP is indeed making it because there is no problem with the audio on the other side.</P><P>&nbsp;</P><P>Why is it not capturing all RTP?&nbsp; In wireshark if you do telephony -&gt; voip calls all the ladders are right. we have everything we would expect from SIP/SDP and then we have 2 rtp packets and no other RTP. this is the same on a Transmit, Recieve, Firewall capture. If you do a rtp-&gt;view streams you only see 2 packets per stream and there are hundreds of successful calls.</P><P>&nbsp;</P><P>Does a PA only sample rtp on the plane that a pcap is performed at and fast tracks it? can someone explain this behavior?</P> Tue, 09 Jun 2020 00:27:39 GMT https://live.paloaltonetworks.com/t5/general-topics/incomplete-pcap-rtp/m-p/332458#M84050 jon.swick 2020-06-09T00:27:39Z Re: Incomplete Pcap - RTP https://live.paloaltonetworks.com/t5/general-topics/incomplete-pcap-rtp/m-p/332762#M84106 <P>did you disable hardware offloading? once a session is offloaded, you can no longer capture it (as captures happen in the dataplane, which is bypassed with offloading)</P><P>&nbsp;</P> Wed, 10 Jun 2020 09:55:40 GMT https://live.paloaltonetworks.com/t5/general-topics/incomplete-pcap-rtp/m-p/332762#M84106 reaper 2020-06-10T09:55:40Z