With RTPBreak you can detect, reconstruct and analyze any RTP session. It doesn’t require the presence of RTCP packets and works independently form the used signaling protocol (SIP, H.323, SCCP, …). The input is a sequence of packets, the output is a set of files you can use as input for other tools (wireshark/tshark, sox, grep/awk/cut/ cat/sed, …). It supports also wireless (AP_DLT_IEEE802_11) networks.

  • reconstruct any RTP stream with an unknown or unsupported signaling protocol

  • reconstruct any RTP stream in wireless networks, while doing channel hopping (VoIP activity detector)

  • reconstruct and decode any RTP stream in batch mode (with sox, asterisk, …)

  • reconstruct any already existing RTP stream

  • reorder the packets of any RTP stream for later analysis (with tshark, wireshark, …)

  • build a tiny wireless VoIP tapping system in a single chip Linux unit

  • build a complete VoIP tapping system (rtpbreak would be just the RTP dissector module!)



rtpbreak (-r|-i) <source> [options]



  -r <str>      Read packets from pcap file <str>
  -i <str>      Read packets from network interface <str>
  -L <int>      Force datalink header length == <int> bytes


  -d <str>      Set output directory to <str> (def:.)
  -w            Disable RTP raw dumps
  -W            Disable RTP pcap dumps
  -g            Fill gaps in RTP raw dumps (caused by lost packets)
  -n            Dump noise packets
  -f            Disable stdout logging
  -F            Enable syslog logging
  -v            Be verbose


  -m            Sniff packets in promisc mode
  -p <str>      Add pcap filter <str>
  -e            Expect even destination UDP port
  -u            Expect unprivileged source/destination UDP ports (>1024)
  -y <int>      Expect RTP payload type == <int>
  -l <int>      Expect RTP payload length == <int> bytes
  -t <float>    Set packet timeout to <float> seconds (def:10.00)
  -T <float>    Set pattern timeout to <float> seconds (def:0.25)
  -P <int>      Set pattern packets count to <int> (def:5)


  -Z <str>      Run as user <str>
  -D            Run in background (option -f implicit)


  -k            List known RTP payload types
  -h            This


cyborg@cyborg:~$ sudo rtpbreak -i eth0  -g -v
30/10/2015#16:51:40 init_opt:537: + rtpbreak v1.3a running here!
30/10/2015#16:51:40 init_opt:538: + pid: 26577, date/time: 30/10/2015#16:51:40
30/10/2015#16:51:40 init_opt:543: + cmd: rtpbreak '-i' 'eth0' '-g' '-v' ''
30/10/2015#16:51:40 init_opt:549: + Configuration
30/10/2015#16:51:40 init_opt:551:   + INPUT
30/10/2015#16:51:40 init_opt:552:     Packet source: iface 'eth0'
30/10/2015#16:51:40 init_opt:559:     Force datalink header length: disabled
30/10/2015#16:51:40 init_opt:565:   + OUTPUT
30/10/2015#16:51:40 init_opt:567:     Output directory: '.'
30/10/2015#16:51:40 init_opt:568:     RTP raw dumps: enabled
30/10/2015#16:51:40 init_opt:569:     RTP pcap dumps: enabled
30/10/2015#16:51:40 init_opt:572:     Fill gaps: enabled
30/10/2015#16:51:40 init_opt:574:     Dump noise: disabled
30/10/2015#16:51:40 init_opt:580:     Logfile: './rtp.2.txt'
30/10/2015#16:51:40 init_opt:581:     Logging to stdout: enabled
30/10/2015#16:51:40 init_opt:582:     Logging to syslog: disabled
30/10/2015#16:51:40 init_opt:583:     Be verbose: enabled
30/10/2015#16:51:40 init_opt:584:   + SELECT
30/10/2015#16:51:40 init_opt:585:     Sniff packets in promisc mode: disabled
30/10/2015#16:51:40 init_opt:587:     Add pcap filter: disabled
30/10/2015#16:51:40 init_opt:593:     Expecting even destination UDP port: disabled

Leave a reply


We're are building as a community and a team. Be a part of it.


©2018 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?