The Association of Digital Forensics, Security and Law (ADFSL)


This paper presents a fast multi-stage method for on-line detection of RTP streams and codec identification of transmitted voice or video traffic. The method includes an RTP detector that filters packets based on specific values from UDP and RTP headers. When an RTP stream is successfully detected, codec identification is applied using codec feature sets. The paper shows advantages and limitations of the method and its comparison with other approaches. The method was implemented as a part of network forensics framework NetFox developed in project SEC6NET. Results show that the method can be successfully used for Lawful Interception as well as for network monitoring.


Bestagini, P., Allam, A., Milani, S., Tagliasacchi, M., & Tubaro, S. (2012). Video codec identification. In IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2012 (pp. 2257-- 2260).

Cisco Systems, I. (2002). Network Based Application Recognition RTP Payload Classification (White Paper). Cisco Systems, Inc. Costeux, J.-L., Guyard, F., & Bustos, A.-M. (n.d.). Detection and comparison of RTP and skype traffic and performance. In IEEE Global Telecommunications Conference, GLOBECOM’06 (pp. 1--5).

Hicsonmez, S., H.T.Sencar, & Avcibas, I. (2011, Nov). Audio codec identification through payload sampling. In IEEE International Workshop on Information Forensics and Security (WIFS), 2011 (pp. 1--6).

Jenner, F., & Kwasinski, A. (2012, March). Highly accurate non-intrusive speech forensics for codec identifications from observed decoded signals. In IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2012 (pp. 1737- -1740).

Perkins, C. (2003). RTP: Audio and Video for the Internet. Addison-Wesley. Schulzrinne, H., & Casner, S. (2003, July). RTP Profile for Audio and Video Conferences with Minimal Control (RFC 3551).

Schulzrinne, H., Casner, S., Frederick, R., & Jacobson, V. (2003, July). RTP: A Transport Protocol for Real-Time Applications (RFC 3550).

Yargicocglu, A. U., & Ilk, H. G. (2012). Speech Coder Identification Using Chaotic Features Based On Steganalyzer Models. Communications, Zilina, Slovakia, 12 , 63--69.

Zhang, G., Xie, G., Yang, J., Min, Y., Zhou, Z., & Duan, X. (2008, Jan). Accurate Online Traffic Classification with Multi-Phases Identification Methodology. In 5th IEEE Consumer Communications and Networking Conference (pp. 141--146).




To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.