Problem playing RTP+AMR decoded call

[Rayed Alrashed <rayed () rayed com>]

Hello,

I am trying to decode an RTP call from a pcap file from wireshark sample
captures https://wiki.wireshark.org/SampleCaptures, mainly "Mobile
Terminating Call(AMR).pcap".

When I extracted the RTP payload it didn't match any AMR encoding that I
saw in another files, that matched the RFC 4867, and when I tried to
inspect the payload using this tshark dump I noticed a pattern of
incrementing numbers on the first byte that I couldn't understand, and
didn't fit any RFC or specification I came a cross.

$ tshark -nr wireshark_mtc.pcap -Y udp.srcport==40002 -T fields -e
rtp.payload -d "udp.port==40002,rtp" | cut -c 1-30
*e0*:00:dd:06:16:00:51:67:3c:01:
*00*:00:00:96:91:17:16:be:66:79:
*01*:00:e1:1c:48:77:24:96:66:79:
*02*:00:7d:27:55:00:88:b6:66:79:
*03*:00:9d:0a:48:f9:1f:96:66:79:
*04*:00:fa:5e:54:fd:1f:b6:66:79:
*05*:00:18:c7:48:f5:1f:96:66:79:
*06*:00:86:5e:54:fd:1f:b6:66:79:
*07*:08:0d:98:00:00:00:00:0c
*08*:08:25:a9:00:00:00:00:1c
*09*:08:c5:a9:00:00:00:00:1c
*0a*:08:59:a9:00:00:00:00:1c
*0b*:08:b9:a9:00:00:00:00:1c
*0c*:08:dd:a9:00:00:00:00:1c
*0d*:08:3d:a9:00:00:00:00:1c
*0e*:08:a1:a9:00:00:00:00:1c
*0f*:08:41:a9:00:00:00:00:1c

Any idea on what kind of format would start with this pattern?


Thanks,
Rayed

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe