I captured a tcpdump of a SIP call to debug DTMF problem (repeated digits), but I have some problem interpreting it.
From what I understand, when I parse the captured traffic through wireshark's "VOIP CALL", I should see something like this (for digits 123) :
CAPTURE 1
RTP telephone event DTMF One 1
(end of event)
RTP telephone event DTMF Two 2
(end of event)
RTP telephone event DTMF Three 3
(end of event)
But I'm seeing this instead
CAPTURE 2
RTP telephone event DTMF One 1
RTP telephone event DTMF One 1
RTP telephone event DTMF One 1
(end)
RTP telephone event DTMF Two 2
RTP telephone event DTMF Two 2
RTP telephone event DTMF Two 2
(end)
RTP telephone event DTMF Two 3
RTP telephone event DTMF Two 3
RTP telephone event DTMF Two 3
(end)
On 1 system, CAPTURE 2 is detected as 123, but on another system it seems to decode this as having repeated digits. What's the reason for wireshark not grouping them together as a single RTP event?
This is the rtp traffic flow:
CAPTURE 1:
RTP EVENT DTMF 1
RTP EVENT DTMF 1
RTP EVENT DTMF 1 (end)
RTP EVENT DTMF 1 (end)
RTP EVENT DTMF 1 (end)
RTP EVENT DTMF 2
RTP EVENT DTMF 2
RTP EVENT DTMF 2 (end)
RTP EVENT DTMF 2 (end)
RTP EVENT DTMF 2 (end)
RTP EVENT DTMF 3
RTP EVENT DTMF 3
RTP EVENT DTMF 3 (end)
RTP EVENT DTMF 3 (end)
RTP EVENT DTMF 3 (end)
RTP PAYLOAD
...
...
...
RTP PAYLOAD
whereas CAPTURE 2 is:
RTP EVENT DTMF 1
RTP PAYLOAD
RTP EVENT DTMF 1
RTP PAYLOAD
RTP EVENT DTMF 1 (end)
RTP PAYLOAD
RTP EVENT DTMF 1 (end)
RTP PAYLOAD
RTP EVENT DTMF 1 (end)
RTP PAYLOAD
RTP PAYLOAD
RTP PAYLOAD
RTP PAYLOAD
RTP PAYLOAD
RTP EVENT DTMF 2
RTP PAYLOAD
RTP EVENT DTMF 2
RTP PAYLOAD
RTP EVENT DTMF 2 (end)
RTP PAYLOAD
RTP EVENT DTMF 2 (end)
RTP PAYLOAD
RTP EVENT DTMF 2 (end)
RTP PAYLOAD
RTP PAYLOAD
RTP PAYLOAD
RTP PAYLOAD
RTP EVENT DTMF 3
RTP PAYLOAD
RTP EVENT DTMF 3
RTP PAYLOAD
RTP EVENT DTMF 3 (end)
RTP PAYLOAD
RTP EVENT DTMF 3 (end)
RTP PAYLOAD
RTP EVENT DTMF 3 (end)
RTP PAYLOAD
RTP PAYLOAD
RTP PAYLOAD
RTP PAYLOAD
RTP PAYLOAD
RTP PAYLOAD
Is CAPTURE 2 following RFC2833?