Ask Your Question
0

How can I trim or ignore the first 8 bytes of UDP payload in a capture.

asked 2020-01-08 19:23:48 +0000

justin_wireshark_help gravatar image

A recent change to a UDP protocol is causing me grief. For this scenario a provider has added an ID in front of the RTP Header information in the payload so I can no longer dissect it correctly. Is there an easy way to trim the first 8 bytes from the UDP payload in a packet capture?

edit retag flag offensive close merge delete

Comments

1

Does the RTP payload always start at the same byte offset (Eth: 14 + IP: 20 + UDP: 8 + ID data: 8 = 50 ?)
If so then you might look at "chopping" out the ID bytes with editcap -C :
https://www.wireshark.org/docs/man-pa...

Chuckc gravatar imageChuckc ( 2020-01-08 23:05:08 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-01-09 08:02:52 +0000

Jaap gravatar image

There are (at least) two options here. One as suggested in the comment to use editcap -C, or you could create a Lua dissector which binds to the UDP port involved, which consumes the 8 extra bytes and passes the rest to the RTP dissector. This does depend on the predictability of the used ports, not having signalling protocols setting up RTP conversations.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-01-08 19:23:48 +0000

Seen: 2,167 times

Last updated: Jan 09 '20