Have to large pcap file. How can i get just the voip thereout. I already tried with time selection (-A -B)

asked 23 Nov '11, 10:35

tkwire's gravatar image

tkwire
1223
accept rate: 0%


In general splitting up files is easily done with editcap

editcap -c <packets per file> or editcap -i <seconds per file>

gives you two ways to split your too big capture file into smaller ones.

If you just want to filter voip out of the trace you could use tshark to grab frames matching a specific display filter and save those to a new trace like e.g. for cisco based voip with skinny as signalling protocol

tshark -r <name of your trace.pcap> -R "skinny or rtp" -w <name of the new tracefile>
link

answered 23 Nov '11, 13:19

Landi's gravatar image

Landi
2.2k51340
accept rate: 27%

i allready tried with editcap packets per file and seconds per file. the problem is, then i get just the first peace of voip and the next peaces are lost. (in the first file is the first peace of voip and in the next file is no voip. so i can get just about 30sec voip from a 30min. voip)

with tshark i get this error massage: This application has requested the Runtime to terminate it in an unusual way. Please contact the application’s support team for more information

my File: 733009451 bytes packets more than 139400 packets (preview timeout) format: modified tcpdump-libpcap

(24 Nov '11, 10:05) tkwire

I don't really get the problem why the "next pieces [of voip] are lost" when you use editcap. Tshark might not like the filesize of your pcap, so even if more complicated, maybe you try the following:

  • Split up the trace with editcap into smaller files (e.g. 100,000 packets per file
  • create a new folder like 'filtered' or s.th.
  • run tshark -r ... -R "rtp or skinny" -w filtered<filename> for every editcap-outfile
  • run mergecap over all your traces in the filtered directory and see if the file is small enough to open with wireshark then
(24 Nov '11, 10:25) Landi

I get this massage when i run tshark Read filters were specified both with "-R" and wit additional command-line arguments

(24 Nov '11, 11:01) tkwire
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×112
×70
×6

Asked: 23 Nov '11, 10:35

Seen: 3,026 times

Last updated: 24 Nov '11, 11:01

powered by OSQA