RTP and RTCP or the real-time transport protocol. Was originally standardized in our AFC 1889.
It’s now thirty-five fifty although if you look at packets you really can’t tell the difference and many packets list that they are compliant with our AFC 1889. The real point of RTP is to encapsulate voice or video data packets and really what we’re talking about is real-time transmission. So this is not something that you would use for FTB or anything like that.
Standardised real-time transmission
It is for real-time data and in particular we’re talking about RTP in just about any standardised real-time transmission you’re going to see the data voice data video data encapsulated in RTP packets it is UDP based because you don’t want to wait for lost voice or video packets you want to move right along because it can actually be disconcerting to get packets out of order or delayed. And so RTP, unlike the signaling protocols, is encapsulated in UDP and now this shows an example of the RTP packet from the perspective of the RSA.
So the top one is the actual packets the packet structure you would see in the RNC and the bottom here is an actual RTP packet and you can see that obviously, they’re the same. I just want to put them side by side so you could see how the risk version looks and the actual version looks we’ll be going through the fields here in just a second.
I like to break up RTP into the first and second attacks as far as the fields go and then the rest of the fields. So the first one is very similar to the kind of things that you would see in just about any packet. There’s a version whether or not this particular one has padding extension as well maybe that’s a topic for another day but RTP is expandable meaning that you can have lots and lots of extensions or options associated with RTP and actually at the end of this video we’ll see an example of one contributing source identifiers count.
This means or this is referring to the number of different sources for the data often this is zero because there’s no contributing source just the single source but there is this option because sometimes you have voice and audio I’m sorry video and audio in the same packet.
So here’s our second octet. The first one is a marker of the first bit is a marker. And this just is for measuring purposes provides a boundary in the data stream.
The second group of bits there the payload indicates what type of data you’re actually carrying. Remember that RTP data is just hexadecimal values. And if you just said here’s the data you would have no way of determining what was actually being carried. So the payload tells us what codec was used to encapsulate this data and in the capture, you can see down there the G death 729 was the codec used I’m moving out a little bit into the header RTP is concerned with sequence numbers.
We’re worried about this for replay attacks and things like that. So here’s an example of the sequencing. In this particular example, we can see that
Now next up is the timestamp just the next field over and I’ve just circled it here and this gives us an indication of when the first sampling was done for this particular voice data or chunk of voice data and the timing of this timestamp is very closely tied with the sampling rate so you can see that the time increment between these samples is pretty standard. And that’s because they’re all generated from the same codec.
Next up we have the synchronizing source or the synchronization source identifier. This is the creator of this particular real-time her voice stream. This one happens to be from the GDR at 711 sources. Doesn’t really matter all of the packets from the source identify that source. And so what we can do is organize or group the packets for plague playback at the bottom of this selection. Here we can see that the source IP address changed and so the synchronization source identifier also has to change contributing source. Now, this is again a different packet capture because I wanted to combine audio and video and in this particular case, we can see that these all come from 190 to 160 sixteen that one twelve.
But in the same set of packets, we’ve got two different source identifiers. Even though they came from the same guy. And that’s because we have a mix and we can see here that H.R. two sixty-four identifies the video codec that was used and siren 14, in this case, was polycarbonate and really tell us what it was just the value given to us by RTP. Was the audio stream. Now you can’t talk about RC Thirty-five fifty without talking a little bit about thirty-five fifty-one because Thirty-five fifty-one was the first place that we started to identify and describe the Codex that would be used to encapsulate or to create the voice or video packets that would be encapsulated in RTP.
So our FC Thirty-five fifty-one provides a lot of the background in the documentation for these. They also provided or at least initially provided the tables that we use to describe the Codex and here are two of the codex pulled right out of the risk tables four and five
From thirty five fifty one and they go on the left here the audio codecs and then on the right we’ve got some video codecs that were identified you could see some of our common names here a shot two sixty three for video g the 729 G that 722 and PCM a or P CMU those are g that 7 11 versions the RNC for RTP actually also includes R T C P or real-time transport protocol control protocol and what this is primarily used for is to provide feedback or quality of service information about the RTP stream
So you’ll see RTC packets sprinkled in throughout the stream of RTP packets and the whole point is to provide this data but it’s important to note that the RTP data or packets are separate from the RTP stream so they use different identifiers different ports different everything and they have their own types of messages defined that I’ve listed there at the bottom one note here is that when our TV and our DCP are used together they’re supposed to use even an odd ports although it’s not always true. This isn’t just an example of that. And then you can see at the bottom there that RTP packets are intermixed with the RTP packets although there aren’t anywhere near as many of them.
Now the source description RTP message is just that it describes the connection point provides information about the original source for the data. But again this is different than the synchronization source idea used by RTP and so and it tries to provide some way to identify in human readable format the source of this guy
That’s the source description.
Rtc message the center and receiver reports provide the actual quality of service or performance data. And here we can see examples of where are renaming that this is the center report. We got an ID for the synchronization source. From the perspective of our DCP and then we’ve got the packet and octet counts and then a timestamp that allows us to calculate the performance. This also happens to be what we call a compound packet because it actually has two different RTP packets in it. So we’ve got a center report and then at the bottom we see a source description.
And so our DCP is an example of a protocol that uses compound packets now for those of you that are wire shark aficionados or use things like wild packets RTP you know that there’s a player built into the packet capture or analyzer software. So if I gave you a bunch of RTP packets you could play them back as long as the software understood the codec that I was using in the case of wire shark wire shark understands she got 711 so if I gave you a series of packets encoded with G that 711 you could play it back right inside my shirt.
Pretty cool. So RTP is very vulnerable to eavesdropping. Well, what can you do about that? You can encrypt the data which means that why sure couldn’t play it back. You could also obscure the codec. You could hide the value you could use one of the RTP dynamic types. Kind of like Polycom does and not advertise what codec you’re using. That also makes it difficult to play it back. Archie P and Artie C.P. both have extensions. S RTP and SRT are the secure versions and the whole point is to authenticate part of the packet and then encrypt the data portion. And so these are what we call extensions to RTP and RTP because they just expand the header and add extra functionality while we’re getting a little long here.