analysis of rtp and rtcp packets in wireshark
DESCRIPTION
COMMUNICATION NETWORKSPROJECT: ANALYSIS OF RTP & RTCP PACKETS IN WIRESHARK CAPTURED DATA.TRANSCRIPT
Task
The objective of this experiment is to capture all IP packets sent to and received
from two hosts over the course of a video conference and analyze the RTP and
RTCP packets captured during this process. Data is captured both at both hosts for
two calls, once during low network load and once when network load is high.
For our experiment, Google’s Hangouts was initially used to establish a call but
their deviation from RFC 3550 standards and use of encryption made it difficult to
analyze the recorded data. Go2Meeting was used next and we discovered that
they too employed encryption, making analysis difficult. Therefore we resorted to
the use of Linphone, an open source VoIP project supported by Belledonne
Communications.
Experiment conditions
Host 1 Host 2
Location New Brunswick East Brunswick
Device used Personal Laptop Personal Laptop
ISP Optimum Comcast
Public IP 68.193.145.122 68.44.24.247
IP in local network 192.168.1.7 192.168.2.72
Trial one
Date: 11/4/2014 Time: 11:10 PM Network Conditions: Low Traffic
Trial two
Date: 11/6/2014 Time: 2:11 PM Network Conditions: High Traffic
The Process
The First step was to setup a video call from host 1 to host 2 with encryption
disabled. This was achieved by setting the Media encryption type in the network
settings tab in the Preferences window to “None”.
After the call was setup, all transmitted data was captured using wireshark. We
decided to capture data for 10 minutes, so the stop capture automatically after
option in the capture options page was set to stop after 10 minutes.
The capture process was performed at both hosts simultaneously and the data
was stored to a pcapng file.
The capture of the second call was performed with intervals where, one of the
Hosts mic was deactivated and then the other host had his mic de-activated and
then the both mic were deactivated. During the periods when the mic was
deactivated, the video was also disabled. Video could not be disabled for one
source at a time as Linphone provided no such feature.
Identifying RTP packets
All captured RTP and RTCP packets are simply displayed as UDP packets in
wireshark. To identify our RTP and RTCP packets, Wireshark’s Decode as feature
was used. When used on a single packet, it is capable of identifying all packets in
that particular stream (data to and from the source and destination ports
specified in that packet). To successfully decode all RTP packets, we initially
filtered out data that was still interpreted as UDP and not as RTP or RTCP using
the display filter
udp and not(rtp) and not(rtcp)
Linphone allows us to specify what ports are to be used for audio and video
communication, so this allows us to spot RTP packets and then ‘the decode as'
function can be used to make wireshark identify the RTP packets. Upon exploring
we identified that Linphone follows standard conventions and transmits RTCP
packets from the next higher up odd numbered port for each source. This was
used to identify and decode the RTCP packets.
All necessary data was added to columns and were exported to a csv file. Excel
was used to calculate all necessary statistics.
Identifying Payload type
Initial plan for identifying Payload types was based on the fact that Audio data
occupies lesser space than video data. So, we expected the overall space occupied
by the packets of the audio stream to be lesser than that occupied by the video
stream.
But with the use of linphone, we were able to manually set Audio and Video
ports. So to identify payload type, one can simply look into the details of any
packet sent from a particular port and associate that payload type to the purpose
of that port.
Network paths
Upon capturing the data and identifying the IP of the server used by Linphone,
Tracert was used to identify the path from the hosts to the server.
1. Path from Host 1 to Linphone Server
2. Path from Host 2 Linphone Server
Statistics
Session 1: Host 1
Session Duration=10 Minutes, Session completed using LINPHONE with both
audio and video turned ON for the entire duration.
Min Max Mean Min Max Mean
9078 55388 11014 56.0 1294.0 1043.57458 RTPType-103 0x2CE7 0 0.000031 0.232708 0.05443793
7078 62842 29988 88.0 136.0 103.26740 RTPType-124 0x6D9E 0 0.000031 0.050535 0.01999859
9079 55389 120 146.0 146.0 146.000000x2CE7(Sender)
0x687B(First source)0
4.912988 5.031413 4.99930410
7079 62843 120 146.0 146.0 146.000000x6D9E(Sender)
0x2DC0(First Source)0
4.989735 5.010318 4.99988136
Host 1 Outgoing
RTP Packet Size(3)
(Length in Bytes)Payload
Type(4)
SR(200)
Destination
Port(1)
Number of
Packets(2)
Mean Time Between Two
Packets(s)(7)SSRC Identifiers(5)
Lost
Packets
(6)
Source
Port(1)
Min Max Mean Min Max Mean
55388 9078 11877 56.0 1294.0 1027.18426 RTPType-103 0x687B 34 0.000011 2.783036 0.05048929
62842 7078 29900 74.0 136.0 92.38416 RTPType-124 0x2DC0 84 0.000011 2.747859 0.02005557
55389 9079 120 150.0 150.0 150.000000x687B(Sender)
0x2CE7(First source)0
2.957019 7.048796 5.00016892
62843 7079 120 150.0 150.0 150.000000x2DC0(Sender)
0x6D9E(First Source)0
4.950914 5.039732 5.00024492
Destination
Port(1)
Number of
Packets(2)
Payload
Type(4)SSRC Identifiers(5)
Lost
Packets
(6)
SR(200)
Host 1 Incoming
RTP Packet Size(3)
(Length in Bytes)
Mean Time Between Two
Packets(s)(7)Source
Port(1)
Host 2
Session 2: Host 1:
Session Duration=10 Minutes, Session completed using LINPHONE with audio and
video transmission changed according to the following table
Min Max Mean Min Max Mean
9078 35248 11906 56.0 1294.0 1043.5746 RTPType-103 0x687B 0 0.000030 0.344843 0.05034288
7078 57170 29972 88.0 136.0 103.2674 RTPType-124 0x2DC0 0 0.000027 0.067819 0.01999939
9079 35249 120 150.0 150.0 150.00000x687B(Sender)
0x2CE7(First source)0
4.974013 5.021175 5.00007882
7079 57171 120 150.0 150.0 150.00000x2DC0(Sender)
0x6D9E(First Source)0 4.987259 5.023026 5.00003308
Mean Time Between Two
Packets(s)(7)SSRC Identifiers(5)
Lost
Packets
(6)
Host 2 Outgoing
RTP Packet Size(3)
(Length in Bytes)Payload
Type(4)
SR(200)
Destination
Port(1)
Number of
Packets(2)
Source
Port(1)
Min Max Mean Min Max Mean
57170 9078 10968 56.0 1294.0 1027.18426 RTPType-103 0x2CE7 41 0.000020 0.636363 0.05465503
35248 7078 29928 74.0 136.0 92.38416 RTPType-124 0x6D9E 48 0.000018 0.525384 0.02002977
35249 9079 120 146.0 146.0 146.000000x2CE7(Sender)
0x687B(First source)0 4.805372 5.156351 4.99952360
57171 7079 120 146.0 146.0 146.000000x6D9E(Sender)
0x2DC0(First Source)0
4.822684 9.965048 5.04177715
Destination
Port(1)
Mean Time Between Two
Packets(s)(7)
SR(200)
Host 2 Incoming
RTP Packet Size(3)
(Length in Bytes)Number of
Packets(2)
Payload
Type(4)SSRC Identifiers(5)
Lost
Packets
(6)
Source
Port(1)
0-100 100-220 220-340 340-460 460-600
Audio ON ON OFF OFF ON
Video ON OFF OFF OFF ON
Audio ON OFF ON OFF ON
Video ON OFF OFF OFF ON
Host 1
Host 2
Duration in secs
Min Max Mean Min Max Mean
2018 56.0 1294.0 976.5970 0x6F50 0 0.000049 0.215294 0.046690
3930 56.0 1294.0 962.4204 0x604 0 0.000045 0.212085 0.046743
5068 76.0 124.0 103.4417 0x1478 0 0.000042 0.076238 0.020001
15424 75.0 126.0 84.8048 0x1288 0 0.000040 0.095160 0.02000033
9849 76.0 126.0 102.3511 0x40EB 0 0.000032 0.070331 0.019997
20 146.0 146.0 146.00000x6F50(Sender)
0x7C7B(First source)0 4.990815 5.008854 5.00021237
40 146.0 146.0 146.00000x604(Sender)
0x11A6(First source)0 2.433994 5.018551 4.67089231
20 146.0 146.0 146.00000x1478(Sender)
0x7632(First Source)0
64 146.0 146.0 146.00000x1288(Sender)
0x7280(First source)0
40 146.0 146.0 146.00000x40EB(Sender)
0x11A6(First source)0
480857079
SSRC Identifiers
(5)
Lost
Packets
(6)
RTPType-103
SR(200)
6.110196 4.806749512.458975
RTPType-124
Host 1 Outgoing
RTP Packet Size(3)
(Length in Bytes)Payload
Type(4)
Destination
Port(1)
Number of
Packets(2)
Source
Port(1)
Mean Time Between Two
Packets(s)(7)
9079 22513
9078 22512
7078 48084
Host 2:
Min Max Mean Min Max Mean
2171 57.0 1294.0 1045.02150 0x7C7B 7 0.000021 0.274938 0.050360
3985 57.0 1294.0 1051.96938 0x11A6 12 0.000021 0.585956 0.05125664
5071 75.0 128.0 90.29000 0x7632 12 0.000019 0.227115 0.02052235
15413 74.0 130.0 79.85449 0x7280 28 0.000020 0.297903 0.02100480
9839 74.0 137.0 83.93721 0x6A38 4 0.000019 0.560520 0.020008
20 150.0 150.0 150.00000x7C7B(Sender)
0x6F50(First source)0 4.896326 5.115281 4.99939095
40 150.0 150.0 150.00000x11A6(Sender)
0x604(First source)0 2.494215 5.018851 4.73670282
20 150.0 150.0 150.00000x7632(Sender)
0x1478(First Source)0
64 150.0 150.0 150.00000x7280(Sender)
0x1288(First source)0
40 150.0 150.0 150.00000x11A6(Sender)
0x40EB(First source)0
Host 1 Incoming
Mean Time Between Two
Packets(s)(7)Payload
Type(4)SSRC Identifiers(5)
Lost
Packets
(6)
Destination
Port(1)
RTP Packet Size(3)
(Length in Bytes)Number of
Packets(2)
Source
Port(1)
22512 9078
2.4796 8.63646 4.8873041
22513 9079
SR(200)
48085 7079
48084 7078
RTPType-103
RTPType-124
Min Max Mean Min Max Mean
2167 56.0 1294.0 976.5970 0x7C7B 0 0.000049 0.215294 0.046690
3997 56.0 1294.0 962.4204 0x11A6 0 0.000045 0.212085 0.046743
5060 76.0 124.0 103.4417 0x7632 0 0.000042 0.076238 0.020001
15425 75.0 126.0 84.8048 0x7280 0 0.000040 0.095160 0.02000033
9452 76.0 126.0 102.3511 0x6A38 0 0.000032 0.070331 0.019997
20 150.0 150.0 150.00000x7C7B(Sender)
0x6F50(First source)0 4.990815 5.008854 5.00021237
40 150.0 150.0 150.00000x11A6(Sender)
0x604(First source)0 2.433994 5.018551 4.67089231
20 150.0 150.0 150.00000x7632(Sender)
0x1478(First Source)0
64 150.0 150.0 150.00000x7280(Sender)
0x1288(First source)0
40 150.0 150.0 150.00000x11A6(Sender)
0x40EB(First source)0
9078 27940
7078 19518 RTPType-124
195197079
27941
SSRC Identifiers
(5)
Lost
Packets
(6)
RTPType-103
SR(200)
6.110196 4.806749512.458975
Host 2 Outgoing
RTP Packet Size(3)
(Length in Bytes)Payload
Type(4)
Destination
Port(1)
Number of
Packets(2)
Source
Port(1)
Mean Time Between Two
Packets(s)(7)
9079
Min Max Mean Min Max Mean
2000 57.0 1294.0 1044.02150 0x6F50 7 0.000021 0.274938 0.050460
3659 57.0 1294.0 1052.96938 0x604 12 0.000021 0.585956 0.05153664
5044 75.0 128.0 90.14000 0x1478 12 0.000019 0.227115 0.02004235
15396 74.0 130.0 79.63449 0x1288 28 0.000020 0.297903 0.02003480
9445 74.0 137.0 85.93721 0x40EB 4 0.000019 0.560520 0.020008
20 146.0 146.0 146.00000x6F50(Sender)
0x7C7B(First source)0 4.896326 5.115281 4.99939095
40 146.0 146.0 146.00000x604(Sender)
0x11A6(First source)0 2.494215 5.018851 4.73670282
20 146.0 146.0 146.00000x1478(Sender)
0x7632(First Source)0
64 146.0 146.0 146.00000x1288(Sender)
0x7280(First source)0
40 146.0 146.0 146.00000x40EB(Sender)
0x11A6(First source)0
27940 9078
2.4796 8.63646 4.8873041
9079 27941
SR(200)
7079 19519
19518 7078
RTPType-103
RTPType-124
Destination
Port(1)
RTP Packet Size(3)
(Length in Bytes)Number of
Packets(2)
Source
Port(1)
Mean Time Between Two
Packets(s)(7)Payload
Type(4)SSRC Identifiers(5)
Lost
Packets
(6)
Host 2 Incoming
Observations and Analysis
Following are the comments on each column of the above statistics and
recordings tables.
(1) The software used for the conference was LINPHONE. This is an open
source software with a lot of options. The encryption option was disabled
for this experiment. The port pairs were chosen to be 7078 for audio and
9078 for video on both PC’s. The UDP traffic is directed from one
participant PC to LINPHONE servers. The data is then transmitted to other
participants PC. The server does not seem to perform any processing of its
own. Since the SSRC identifiers remain intact for all packets, it appears that
the traffic does not pass through any mixers. Both the participant connect
to the same LINPHONE server, in our case it was 91.121.209.194.
The Packets were decoded to be RTP/RTCP by Wireshark ‘Decode As’
option. However, it was confirmed that the decoding of Wireshark was
correct by reviewing that the UDP port pairs used by the software were
strictly in accordance with RFC 3550. I.e. even numbered port was used for
RTP packets and the next higher odd numbered port was used for the
RTCP packets. The tables show the exact values of all UDP port pairs as
used by RTP/RTCP packets in this experiment.
(2) Audio packets seem to be larger in number and transmitted more
frequently than video packets. But video packets are longer than Audio
Packets. Based on the first session, mean time between packets is almost
constant for audio and video at .02s and .05s each. And Sizes are also
almost similar with audio packets sized around 100 bytes and video
packets sized around 1000 bytes.
This makes audio packets more in number by a factor of 2.5 and smaller
than video packets by a factor close to 10. So Video data makes up close to
80% of our data traffic ignoring the RTCP packets which with a mean time
of 5 seconds between each packet and a fixed packet size close 150 bytes
occupy a very small portion of the traffic.
It is worth mentioning that in session two, when video was disabled, no
packets were transmitted but while audio was muted, transfer still
occurred.
(3) The criteria for identifying the audio packets is that RTP audio packets are
smaller in size and usually larger in number and transmitted at a higher
rate as compared to RTP video packets, which are larger in size, still large
in number but smaller than RTP audio packets and have less rate of
transmission of packets.
RTCP packets coming from a particular source are always of the same
length (146 in the case of host 1 and 150 in the case of host 2). This can be
explained based on the fact the main message carries only blocks of fixed
length. The length can increase based on the number of report blocks, but
both carry only one at all times. The difference of 4 bytes between the two
RTCP packets comes from the Chunk added to the end by Linphone. This
chunk contains user data and that includes the users Local IP as text. A
difference in the number of digits between the two hosts’ IPs causes its
length to increase by 4 bytes.
a. End of Host 2’s RTCP packet End of Host 1’s RTCP packet
(4) The Payload Type for RTP (both audio and video) packets is assigned in the
dynamic PT range which is 96-127. The statistics of packets sizes can be
found in the respective tables.
(5) SSRC identifiers identify each device in a session. SSRC identifiers seem to
be assigned randomly at the beginning of a session. All devices in the two
sessions were observed to have a unique SSRC identifier.
Whenever a device is turned off for a while and then reactivated, it seems
to receive a new SSRC identifier. This should explain the different sender,
first source combinations in the SSRC identifier column of the observations
in the second session.
The SSRC identifiers are used to uniquely identify each device in a session.
This SSRC identifier is randomly assigned at the beginning of each session.
No two devices in a session can have the same SSRC identifier. For our two
sessions, all devices were observed to have unique SSRC identifiers.
The Sender Report contain the SSRC identifier of the device sending the
RTP stream as well as the device at remote end sending similar RTP stream
but in other direction. This is exactly what can be observed from the tables.
As an example, the sender report sent from Camera of participant 1(SSRC
identifier: 0x687B) contains SSRC identifier as 0x687B and its first source
field contains the SSRC identifier of the camera of PC2 (SSRC Identifier:
0x2CE7). Similar is the case for the other device i.e. Mic.
(6) Packet loss is observed only in the incoming streams. It is logical to assume
that this is because the loss occurs during transmission and host 1 can only
detect loss in the stream it received from host 2 and similarly, only host 2
can detect the loss in the stream from host 1.
A correlation could not be made between packet loss and network load as
they seem to vary irrespective of network load.
(7) Since the algorithm for computing the RTCP packets transmission interval
takes into consideration the dynamic changing of number of participant in
a session, this did not affect our observations. Since the number of
participants was only two and the transmission bandwidth was considered
to be stable, the interval between Sender Reports was nearly constant
with a mean of almost 5 Seconds.
The time between two consecutive packets indicated in the outgoing
tables reflect the time between the transmissions of two packets, but the
time between two packets observed in the incoming tables reflects the
difference between the times when two packets are received by a host.
Any discrepancy between incoming statistics of one host and the
corresponding outgoing statistics of the other host must be caused by
network conditions.
In our observations, we noticed that the mean times between
corresponding incoming and outgoing streams vary more when the
network has a higher load.
For Instance, The following table contains the mean times between
packets for Host 1’s incoming stream and Host 2’s outgoing stream for
both sessions. Notice how Session 2 has a greater change in mean times,
while session 1 shows smaller changes.
This shows how the difference in mean times is greater during periods of higher
traffic load. This difference in means in this case is low enough to be
compensated with other techniques but greater changes can cause a drop in
quality.
References
1. http://www.ece.rutgers.edu/~marsic/books/CN/projects/wireshark/ws-
project-3.html
2. http://www.ietf.org/rfc/rfc3550.txt
3. http://www.networksorcery.com/enp/protocol/rtp.htm
4. http://en.wikipedia.org/wiki/Real-time_Transport_Protocol