Sniffing & Spoofingrtpvoipsniffingreconstructionpcapnetwork

rtpbreak

rtpbreak detects, reconstructs, and analyzes RTP sessions from packet captures or live network traffic. It generates output files for further analysis with tools like Wireshark or SoX without requiring RTCP packets or specific signaling protocols.

Description

rtpbreak is a tool designed to detect, reconstruct, and analyze Real-time Transport Protocol (RTP) sessions. It processes sequences of packets from network interfaces or pcap files, producing output files suitable for analysis with tools such as Wireshark/tshark, SoX, or text processing utilities like grep, awk, cut, cat, and sed. The tool operates independently of signaling protocols like SIP, H.323, or SCCP, and does not require RTCP packets, making it versatile for RTP traffic inspection.

Use cases include VoIP traffic analysis, reconstruction of audio streams from captured packets, and investigation of RTP-based communications in wireless networks (supporting AP_DLT_IEEE802_11). It fills gaps caused by lost packets and supports promiscuous mode sniffing for comprehensive capture. Output includes RTP raw dumps, pcap dumps, and noise packets, enabling detailed forensic examination of sessions.

The tool is particularly useful in network security contexts where RTP traffic needs to be dissected without prior knowledge of session parameters, providing flexibility through various filtering and expectation options for ports, payload types, and lengths.

How It Works

rtpbreak reads packets from a pcap file (-r) or live network interface (-i), optionally forcing datalink header length (-L). It identifies RTP sessions based on UDP ports, payload types (-y), lengths (-l), and timeouts (-t, -T), with options for even ports (-e), unprivileged ports (-u), and pcap filters (-p). Sessions are reconstructed by filling gaps in sequences (-g), dumping raw RTP data unless disabled (-w), pcap dumps unless disabled (-W), and noise packets (-n). Output is saved to a specified directory (-d), supporting promiscuous mode (-m) for broad capture. It works without RTCP and across signaling protocols, handling wireless links.

Installation

bash

sudo apt install rtpbreak

Flags

-r <str>Read packets from pcap file <str>

-i <str>Read packets from network interface <str>

-L <int>Force datalink header length == <int> bytes

-d <str>Set output directory to <str> (def:.)

-wDisable RTP raw dumps

-WDisable RTP pcap dumps

-gFill gaps in RTP raw dumps (caused by lost packets)

-nDump noise packets

-fDisable stdout logging

-FEnable syslog logging

-vBe verbose

-mSniff packets in promisc mode

-p <str>Add pcap filter <str>

-eExpect even destination UDP port

-uExpect unprivileged source/destination UDP ports (>1024)

-y <int>Expect RTP payload type == <int>

-l <int>Expect RTP payload length == <int> bytes

-t <float>Set packet timeout to <float> seconds (def:10.00)

-T <float>Set pattern timeout to <float> seconds (def:0.25)

-Z <str>Run as user <str>

-DRun in background (option -f implicit)

-kList known RTP payload types

-hThis

Examples

Analyze RTP traffic using interface eth0, fill in gaps, sniff in promiscuous mode, and save to the given directory rtplog

rtpbreak -i eth0 -g -m -d rtplog

Read packets from a pcap file for RTP analysis

rtpbreak -r <pcapfile>

Sniff RTP on interface eth0 in promiscuous mode with pcap filter for specific UDP port

rtpbreak -i eth0 -m -p 'udp port 5004'

Capture on eth0, fill gaps, verbose output to directory ./output

rtpbreak -i eth0 -g -d ./output -v

Expect unprivileged ports and RTP payload type 0, output to rtplog

rtpbreak -i eth0 -u -y 0 -d rtplog

Process pcap file, dump noise packets, disable RTP raw dumps

rtpbreak -r capture.pcap -n -w

Sniff on wireless interface in promisc mode with 5-second packet timeout

rtpbreak -i wlan0 -m -t 5.0 -d wireless_rtp

Updated 2026-04-16kali.org ↗