1

When capturing H460 data on wireshark (on multiplexed mode), wireshark does not parse RTP data correctly. it should discard first 4 bytes on any RTP packet. looking for hints how to do that

Thanks Amit

Gene Vincent
  • 5,237
  • 9
  • 50
  • 86
amitk
  • 11
  • 2
  • Could you explain which bytes should be removed by Wireshark with reference to the RTP header? Do you mean that there are 4 bytes that precede the RTP header in the UDP payload.http://www.networksorcery.com/enp/protocol/rtp.htm – rupello Sep 08 '11 at 15:17
  • The 4 bytes that preceed the header need to be removed. After that the regular RTP header follows. – Gene Vincent May 01 '12 at 23:54
  • This RTP multiplexing is described in the H.460.19 standard. – Gene Vincent May 02 '12 at 00:19

1 Answers1

1

shark (packaged with wireshark) has this functionality built in.

Make sure that wireshark/tshark is in your PATH variable, and open a new command line window if you've just set it. Let me know if you want me to be more clear there.

  • If you want to discard the first 4 packets of rtp data on the fly :

    tcpdump -i eth0 port ! 5060 and dst 192.168.1.101 -T rtp -n -s0 -w- | editcap -F libpcap -C 4 - - | tcpdump -nlvvv -r - -w output.pcap

  • For already captured file (capture.pcap):

    tcpdump -r capture.pcap | editcap -F libpcap -C 4 - - | tcpdump -nlvvv -r - -w output.pcap

or

editcap capture.pcap output.pcap -C 4

I didn't test these exact examples myself, but I think tshark's "chop" (-C) option might be what you're looking for.

ThreepE0
  • 96
  • 1
  • 5