Ask Your Question

Revision history [back]

Here is two variants how you can extract udp payload:

  • fastest method, using gstreamer:

    gst-launch-1.0 -v filesrc location="dump.pcap" ! pcapparse dst-ip=239.1.10.6 dst-port=1234 ! filesink location="udp_payload.ts"

    _Notes_:

    • pcapparse not understand _pcapng_ file format, if you have such file you can convert it in Wireshark or with mergecap: mergecap -F pcap -w dump.pcap in.pcapng;
    • pcapparse can filter packets with src-ip, src-port, dst-ip, dst-port in any combination. To see available conversations in dump run the next: tshark -nq -r dump.pcap -z conv,udp.

  • slower method (but still fast relative to Wireshark's expert), using tshark and xxd tools:

    tshark -r "dump.pcap" -z follow,udp,raw,0 -q | grep -Ev '^(Follow|Filter|Node [01]): ' | grep -Ev '^={60,80}$' | xxd -r -p >"udp_payload.ts"

Both methods work with MPEG TS and any other payload.

Here is two variants how you can extract udp payload:

  • fastest method, using gstreamer:

    gst-launch-1.0 -v filesrc location="dump.pcap" ! \
  pcapparse dst-ip=239.1.10.6 dst-port=1234 ! \
  filesink location="udp_payload.ts"
     
    _Notes_:location="udp_payload.ts"

    Notes:

    • pcapparse not understand _pcapng_ file format, if you have such file you can convert it in Wireshark or with mergecap: mergecap -F pcap -w dump.pcap in.pcapng;
    • pcapparse can filter packets with src-ip, src-port, dst-ip, dst-port in any combination. To see available conversations in dump run the next: tshark -nq -r dump.pcap -z conv,udp.

  • slower method (but still fast relative to Wireshark's expert), using tshark and xxd tools:

    tshark -r "dump.pcap" -z follow,udp,raw,0 -q |
  grep -Ev '^(Follow|Filter|Node [01]): ' |
  grep -Ev '^={60,80}$' |
  xxd -r -p >"udp_payload.ts"
    >"udp_payload.ts"

Both methods work with MPEG TS and any other payload.

Here is two variants how you can extract udp payload:

  • fastest method, using gstreamer:

    gst-launch-1.0 -v filesrc location="dump.pcap" ! \
  pcapparse dst-ip=239.1.10.6 dst-port=1234 ! \
  filesink location="udp_payload.ts"

    Notes:

    • pcapparse not understand _pcapng_ file format, if you have such file you can convert it in Wireshark or with mergecap: mergecap -F pcap -w dump.pcap in.pcapng;
    • pcapparse can filter packets with src-ip, src-port, dst-ip, dst-port in any combination. To see available conversations in dump run the next: tshark -nq -r dump.pcap -z conv,udp.

  • slightly slower method (but still fast relative to Wireshark's expert), using tshark and xxd tools:

    tshark -r "dump.pcap" -z follow,udp,raw,0 -q |
  grep -Ev '^(Follow|Filter|Node [01]): ' |
  grep -Ev '^={60,80}$' |
  xxd -r -p >"udp_payload.ts"

    Notes:

    • In the example above, tshark filters packets by _"stream-index"_, the first one;
    • You can select packets more explicitly by setting a filter with the following pattern: follow,udp,raw,<src-ip>:<src-port>,<dst-ip>:<dst-port>;

Both methods work with MPEG TS and any other payload.

Here is two variants how you can extract udp payload:

  • fastest method, using gstreamer:

    gst-launch-1.0 -v filesrc location="dump.pcap" ! \
  pcapparse dst-ip=239.1.10.6 dst-port=1234 ! \
  filesink location="udp_payload.ts"

    Notes:

    • pcapparse not understand _pcapng_ file format, if you have such file you can convert it in Wireshark or with mergecap: mergecap -F pcap -w dump.pcap in.pcapng;
    • pcapparse can filter packets with src-ip, src-port, dst-ip, dst-port in any combination. To see available conversations in dump run the next: tshark -nq -r dump.pcap -z conv,udp.

  • slightly slower method (but still fast relative to Wireshark's expert), follow+export), using tshark and xxd tools:

    tshark -r "dump.pcap" -z follow,udp,raw,0 -q |
  grep -Ev '^(Follow|Filter|Node [01]): ' |
  grep -Ev '^={60,80}$' |
  xxd -r -p >"udp_payload.ts"

    Notes:

    • In the example above, tshark filters packets by _"stream-index"_, the first one;
    • You can select packets more explicitly by setting a filter with the following pattern: follow,udp,raw,<src-ip>:<src-port>,<dst-ip>:<dst-port>;

Both methods work with MPEG TS and any other payload.

Here is two variants how you can extract udp payload:

  • fastest method, using gstreamer:

    gst-launch-1.0 -v filesrc location="dump.pcap" ! \
  pcapparse dst-ip=239.1.10.6 dst-port=1234 ! \
  filesink location="udp_payload.ts"

    Notes:

    • pcapparse not understand _pcapng_ file format, if you have such file you can convert it in Wireshark or with mergecap: mergecap -F pcap -w dump.pcap in.pcapng;
    • pcapparse can filter packets with src-ip, src-port, dst-ip, dst-port in any combination. To see available conversations in dump run the next: tshark -nq -r dump.pcap -z conv,udp.

  • slightly slower method (but still fast relative to Wireshark's follow+export), using tshark and xxd tools:

    tshark -r "dump.pcap" -z follow,udp,raw,0 -q |
  grep -Ev '^(Follow|Filter|Node [01]): ' |
  grep -Ev '^={60,80}$' |
  xxd -r -p >"udp_payload.ts"

    Notes:

    • In the example above, tshark filters packets by _"stream-index"_, "stream-index", the first one;
    • You can select packets more explicitly by setting a filter with the following pattern: follow,udp,raw,<src-ip>:<src-port>,<dst-ip>:<dst-port>;

Both methods work with MPEG TS and any other payload.

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2