Ask Your Question

Lost audio stream

asked 2020-01-31 14:25:02 +0000

Hi everyone, here's a situation I could use some help with. Please be aware that I'm not an IT person at all and had never heard of Wireshark until a couple of days ago; I'm just trying to perform a specific task.

I did a 2h+ phone interview and tried to capture it using the packet capture feature of my AVM Fritz box. Everything went fine until after about half an hour, the phone connection was interrupted and I had to call my interviewee again. I probably should have stopped and restarted the capture at that point, but I didn't think of doing that.

After I finished the interview I tried to extract the audio streams from the resulting .eth file, which had run to about 240mb. I find the first half hour of my interview and also another call my wife made during that time, but not the whole rest of the interview.

The second call to my interviewee shows up in Telephony - VoIP Calls, but I can't play it... the box comes up empty. I also can't find it under Telephony - RTP - RTP Streams.

So my hope is that the stream is still there somewhere in the .eth file, but Wireshark just can't find it. Is there any chance I might retrieve it and not have to do the interview all over again?

Thanks for any help you can give. - Christian

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2020-02-03 21:24:14 +0000

SYN-bit gravatar image

Open "Statistics -> Conversations", then click on the UDP tab. Sort by number of bytes (twice, so the conversations with the most data show up at the top). If the audio is in the trace, it should show up high in the list. Filter on each of the top conversations and check in the packet list whether the packets look like RTP (same size, evenly spread at 20ms intervals in both directions). Then right-click on one of the packets and choose "Decode As" and change the protocol to RTP to dissect this UDP stream as RTP. This will enable playback.

Another way is to enable the RTP heuristics dissector by going to "Analyze -> Enabled protocols". Then type RTP in the search bar and then look for "rtp_udp" and enable it. Then if there are RTP streams in the trace that miss the signaling, they will show up in the RTP streams overview.

edit flag offensive delete link more


Thanks for your reply! I get lost though where you say "Filter on each of the top conversations and check in the packet list..." How exactly do I do that?

Joketowner gravatar imageJoketowner ( 2020-02-04 22:13:21 +0000 )edit

After sorting, you can right-click on each of the conversations of interest and use "Apply as filter -> Selected -> A<->B". Then only that conversation will be displayed in the packet list.

SYN-bit gravatar imageSYN-bit ( 2020-02-05 08:52:12 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2020-01-31 14:25:02 +0000

Seen: 1,151 times

Last updated: Feb 03 '20