On Wed, Apr 17, 2002 at 11:44:45AM -0700, Joe Aiello wrote: > I noticed that Ethereal can read the Sniffer WAN.cap files and indicate that > it is a "Network Associates Sniffer (Windows-Based) 2.00x format. This is > displayed if you select file/save as. It seems the work to decode the > format is there, just not to save as.
Unfortunately, it appears that Sniffer WAN (PPP) captures look like Ethernet captures; we'd have to implement code in Wiretap to translate PPP headers to Ethernet headers (including mapping protocol types - and, presumably, *discarding* packets for protocols that have PPP types but not Ethernet types) to be able to save them. I will not be doing that any time soon. My plate is already massively over-full with other things.... > As for RTP, they must look at the UDP packets and check for the RTP header. Perhaps they do, but, for what it's worth, we don't. I'm not sure I see anything immediately obvious that would work well as a heuristic to detect RTP. (Are you certain the Sniffer isn't configured to treat either port 1062 or port 17654 as RTP ports?) So, until somebody can come up with a heuristic to detect RTP traffic *without* bogusly treating a bunch of non-RTP traffic as RTP, you'll either have to use the Sniffer, or use the "Decode As" option in Ethereal to force it to decode particular ports as particular protocols (selecting the first packet, selecting "Decode As..." from the Tools menu, selecting the source or destination port, selecting "RTP" from the list of protocols, and clicking "OK" causes it to show that traffic as RTP traffic).
