I think this was misleading. Sniffer WAN files is terminology in Sniffer (in their save/as dialog). WAN seems to refer more to their current Windows version file format. They are not PPP, but Ethernet captures. Since Ethereal can already read the format (as identified in Ethereal as Sniffer Windows 2.00x), someone knows the file format.
The reason we originally talked about this was that I have a custom tool that will extract the audio payload and create sound files from the Sniffer Windows format capture files. I use Ethereal to capture and filter the traffic and save to Sniffer DOS format. I then read this in to Sniffer and save as a "Sniffer WAN" .cap file. I can then use my tool to create the sounds files. As for RTP, they do it somehow and I have yet to have a misrepresented packet. Since RTP ports change all the time (Cisco uses 16K ports), I know there is no pre-configured port maps. I use Ethereal all the time and use the "decode as" often and it works perfectly (for both halves of the RTP conversation). Thanks for looking at it. Joe -----Original Message----- From: Guy Harris [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 17, 2002 2:36 PM To: Joe Aiello Cc: [EMAIL PROTECTED] Subject: Re: [Ethereal-dev] RE: [Ethereal-users] Not seeing RTP or RTCP traffic on Win2K On Wed, Apr 17, 2002 at 11:44:45AM -0700, Joe Aiello wrote: > I noticed that Ethereal can read the Sniffer WAN.cap files and indicate that > it is a "Network Associates Sniffer (Windows-Based) 2.00x format. This is > displayed if you select file/save as. It seems the work to decode the > format is there, just not to save as. Unfortunately, it appears that Sniffer WAN (PPP) captures look like Ethernet captures; we'd have to implement code in Wiretap to translate PPP headers to Ethernet headers (including mapping protocol types - and, presumably, *discarding* packets for protocols that have PPP types but not Ethernet types) to be able to save them. I will not be doing that any time soon. My plate is already massively over-full with other things.... > As for RTP, they must look at the UDP packets and check for the RTP header. Perhaps they do, but, for what it's worth, we don't. I'm not sure I see anything immediately obvious that would work well as a heuristic to detect RTP. (Are you certain the Sniffer isn't configured to treat either port 1062 or port 17654 as RTP ports?) So, until somebody can come up with a heuristic to detect RTP traffic *without* bogusly treating a bunch of non-RTP traffic as RTP, you'll either have to use the Sniffer, or use the "Decode As" option in Ethereal to force it to decode particular ports as particular protocols (selecting the first packet, selecting "Decode As..." from the Tools menu, selecting the source or destination port, selecting "RTP" from the list of protocols, and clicking "OK" causes it to show that traffic as RTP traffic).
