Ask Your Question
0

How can I trim or ignore the first 8 bytes of UDP payload in a capture.

asked 2020-01-08 19:23:48 +0000

justin_wireshark_help gravatar image

A recent change to a UDP protocol is causing me grief. For this scenario a provider has added an ID in front of the RTP Header information in the payload so I can no longer dissect it correctly. Is there an easy way to trim the first 8 bytes from the UDP payload in a packet capture?

edit retag flag offensive close merge delete

Comments

1

Does the RTP payload always start at the same byte offset (Eth: 14 + IP: 20 + UDP: 8 + ID data: 8 = 50 ?)
If so then you might look at "chopping" out the ID bytes with editcap -C :
https://www.wireshark.org/docs/man-pa...

Chuckc gravatar imageChuckc ( 2020-01-08 23:05:08 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-01-09 08:02:52 +0000

Jaap gravatar image

There are (at least) two options here. One as suggested in the comment to use editcap -C, or you could create a Lua dissector which binds to the UDP port involved, which consumes the 8 extra bytes and passes the rest to the RTP dissector. This does depend on the predictability of the used ports, not having signalling protocols setting up RTP conversations.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-01-08 19:23:48 +0000

Seen: 2,161 times

Last updated: Jan 09 '20

Related questions

Registering RTP dissector for PCMU Payload Type 0

RTP protocol not recognized

Unknown RTP version 3 in skype data streams

Reassemble rtp payload to IP frames

How can I export UDP payload without using the slow Follow UDP Stream method

How to capture RTP packets?

check udp payload in wireshark

how to invert two bytes in lua script dissector ?

How do I get and display packet data information at a specific byte from the first byte?

Why would I be getting "LEN 1 (Malformed Packet)"... "(Malformed Packet: RTCP)" on UDP Packets