A recent change to a UDP protocol is causing me grief. For this scenario a provider has added an ID in front of the RTP Header information in the payload so I can no longer dissect it correctly. Is there an easy way to trim the first 8 bytes from the UDP payload in a packet capture?
There are (at least) two options here. One as suggested in the comment to use editcap -C, or you could create a Lua dissector which binds to the UDP port involved, which consumes the 8 extra bytes and passes the rest to the RTP dissector. This does depend on the predictability of the used ports, not having signalling protocols setting up RTP conversations.
Asked: 2020-01-08 19:23:48 +0000
Seen: 1,215 times
Last updated: Jan 09 '20
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
Does the RTP payload always start at the same byte offset (Eth: 14 + IP: 20 + UDP: 8 + ID data: 8 = 50 ?)
If so then you might look at "chopping" out the ID bytes with
editcap -C:https://www.wireshark.org/docs/man-pa...