|
Hello, i try to solve one problem. I have one capture stream taken with tshark. In this file is many VOIP calls( SIP/RTP/G729 ). In wireshark GUI i can do what i can, but when i try filter some call from cmd is there big problem. When i use this: I get right (SIP, UPD, TCP etc...) load in i get all load in call.raw as UDP. I need to get RTP. I use TShark 1.6.1 on GNU/Linux CentOS 6. Please anyone have some sugestion? |
|
Your filter probably excluded the call-setup packets from the trace file which Wireshark uses to know when to dissect UDP as RTP. Try setting the RTP preference "Try to decode RTP outside of conversations". thanks for ansver. I try something new : tshark -r capturefile -R "ip.src==10.1.0.12 && udp.srcport==52140 && ip.dst==10.1.0.11 && udp.dstport==52382 && rtp.ssrc==0x9B0" -d udp.port==52140,rtp -w outstream it is now work for me, but how can i save payload of rtp from outstream? In wireshark GUI i know (telephony -> rtp -> show all stream -> analize -> save payload) Question is how can I do this in cmd?
(04 Aug '11, 06:19)
JamesBorg
That's really a new question which, coincidentally, is the same as this one.
(04 Aug '11, 06:34)
JeffMorriss ♦
not same, but OK:). But no ansver there :(
(04 Aug '11, 07:00)
JamesBorg
OK, sorry, sounded the same to me. Anyway, I think there's no answer because it's not possible--but I don't work with RTP.
(04 Aug '11, 07:07)
JeffMorriss ♦
|
|
You can concatenate raw payloads and put them in a file. Note that this will not work all the time, for example if your RTP flow contains rfc2833/4733 DTMF or DTX packets. With the RTP preference "Try to decode RTP outside of conversations" enabled, use this : You will see hexadecimal payloads. This output can then be converted to raw bytes using : |
