Incomplete Pcap - RTP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Incomplete Pcap - RTP

L1 Bithead

We are performing a pcap on our Firewall. We are capturing all traffic between two different Cidr's.
We see all of the sip information. We see full bi-directional traffic. We then see 2 RTP packets for each call then nothing else in the capture. The packets are not dropping, We know RTP is indeed making it because there is no problem with the audio on the other side.

 

Why is it not capturing all RTP?  In wireshark if you do telephony -> voip calls all the ladders are right. we have everything we would expect from SIP/SDP and then we have 2 rtp packets and no other RTP. this is the same on a Transmit, Recieve, Firewall capture. If you do a rtp->view streams you only see 2 packets per stream and there are hundreds of successful calls.

 

Does a PA only sample rtp on the plane that a pcap is performed at and fast tracks it? can someone explain this behavior?

1 REPLY 1

Cyber Elite
Cyber Elite

did you disable hardware offloading? once a session is offloaded, you can no longer capture it (as captures happen in the dataplane, which is bypassed with offloading)

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2374 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!