Incomplete Pcap - RTP

Reply
Highlighted
L0 Member

Incomplete Pcap - RTP

We are performing a pcap on our Firewall. We are capturing all traffic between two different Cidr's.
We see all of the sip information. We see full bi-directional traffic. We then see 2 RTP packets for each call then nothing else in the capture. The packets are not dropping, We know RTP is indeed making it because there is no problem with the audio on the other side.

 

Why is it not capturing all RTP?  In wireshark if you do telephony -> voip calls all the ladders are right. we have everything we would expect from SIP/SDP and then we have 2 rtp packets and no other RTP. this is the same on a Transmit, Recieve, Firewall capture. If you do a rtp->view streams you only see 2 packets per stream and there are hundreds of successful calls.

 

Does a PA only sample rtp on the plane that a pcap is performed at and fast tracks it? can someone explain this behavior?

Highlighted
L7 Applicator

did you disable hardware offloading? once a session is offloaded, you can no longer capture it (as captures happen in the dataplane, which is bypassed with offloading)

 

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!