none
RDP over RTP - Lync 2013 conference with screen sharing RRS feed

  • Question

  • I am having trouble decoding RDP packets inside RTP packets. The traffic during the conference was recorded using Wireshark. All the data is exchanged with TCP network protocol. Many of those packets in the data part have RTP packets marked as 0x7F (RTP type RDP, [MS-RTP] page 14. 0x7f=127).

                Following the [MS-RTASPF] and the [MS-RTP] documents the interpretation of RTP was simple. The problem lies in the RDP packet stream. It does not match [MS-RDPBCGR] document in any way.

    Example of RTP inside TCP data:

    008d - length of the RTP packet 141 DEC - defined in http://www.ietf.org/rfc/rfc4571.txt

    RTP Header

    80 - RTP version

    7f - RTP type - RDP

    5737 - Sequence

    10fb4d41 - Timestamp

    d8af62fb - SSRC - identifies synchronization source

    RDP Packet

    22a10565b3b5a681dfdadc8f63db9f45fe6f911635a17eb76d5182d72e772b8938c3f3e472918c06e71f86aadcf6ed277567b5220de8f9c6ecfeb7cbaeaca213aa0ce0a973855713927b6b918f710ebec8798b026e1e53963619d7e3b1e7998bc06c0c50c89e63772f058d09a0988f50c00799ec6655013844700041e48045918b

    Example of valid RDP packet using T.125:

    TPKT Header

    03 - version

    00 - reserved

    01 65 – length

    X.224 Data TPDU

    02 - Length

    f0 – PDU type DT data

    80 – TPDU No & last data unit

    64 00 06 03 eb 70 81 – SendDataRequest

    Etc.

    My expectations were that the package would begin with TPKT, followed by TPDU. RDP packet in RTP doesn’t respect any rules described in [MS-RDPBCGR]. Can you please point me to the right approach of decoding/decrypting the RDP packet inside RTP?

    Thank you!

    Friday, January 24, 2014 9:35 AM

Answers

  • Hello Srnux,

    I see you have discussions going with "Marc Andre" and to delve into this further a decrypted RDP packet capture may be necessary.

    Please forward a decrypted RDP trace to "dochelp<at>Microsoft<dot>com" and I will investigate further.

    Regards,

    Mark Miller | Escalation Engineer | Microsoft Open Protocols Team

    Thursday, January 30, 2014 5:01 PM

All replies

  • Hi,

    I am from the FreeRDP project and I am currently looking to setup a test lync server with self-signed certificates to make packet captures to analyze RDP screen sharing sessions like you are doing. At a first glance this does not look like a TPKT header, that is correct. Is this the very first message you see? If you can send me the packet captures at mamoreau[at]awakecoding.com I promise I'll at least take a look and tell you what I think.

    Friday, January 24, 2014 4:21 PM
  • Hi Srnux,

    Thank you for your question. A member of the Protocol Documentation support team will respond to you soon.

    Regards,
    Vilmos Foltenyi - MSFT

    Friday, January 24, 2014 5:36 PM
  • Thank you for the offered help! I must first consult my colleague and will ask the permission to share this logs.

    Really appreciate the work you did with FreeRDP. Have encountered a portion of your code on GitHub, FreeRDP Wireshark Dissector.

    Saturday, January 25, 2014 3:44 PM
  • Marc-Andre',

    Could you, please, provide example RDP packets containing TS_UPDATE_BITMAP data?

    Have searched in various .pcap Wireshark example files and the web but with no luck.

    Thanks in advance!

    Saturday, January 25, 2014 8:38 PM
  • Hi Srnux,

    I looked at your packet capture and it definitely does not contain decrypted RDP traffic. If you want to capture and decrypt "regular" RDP traffic, I suggest you follow my notes here: https://github.com/awakecoding/FreeRDP-Manuals/blob/master/Configuration/FreeRDP-Configuration-Manual.markdown

    I'm thinking that there must be a TLS connection done over RTP. In this case, we'd need to look for a TLS handshake somewhere in those packets. It may look overkill to do TLS over RTP, but that's exactly how it works in other parts of RDP like TS Gateway, where RDP is tunnelled over two HTTPS connections but still does a complete TLS connection over it.

    I'm curious, how did you configure your test environment to generate this packet capture?

    Monday, January 27, 2014 4:14 PM
  • Hi Srnux,

    Thank you for your question. A member of the Protocol Documentation support team will respond to you soon.

    Regards,
    Vilmos Foltenyi - MSFT

    Any updates on this?

    Thursday, January 30, 2014 2:51 PM
  • Hello Srnux,

    I see you have discussions going with "Marc Andre" and to delve into this further a decrypted RDP packet capture may be necessary.

    Please forward a decrypted RDP trace to "dochelp<at>Microsoft<dot>com" and I will investigate further.

    Regards,

    Mark Miller | Escalation Engineer | Microsoft Open Protocols Team

    Thursday, January 30, 2014 5:01 PM