Ask Your Question
0

Extract TS files from pcap capture

asked 2020-10-16 17:50:42 +0000

sedilson gravatar image

updated 2020-10-16 17:53:50 +0000

The goal: Extract TS Files captured from UDP streams (multicast)

Current mode: Choose follow -> UDP stream using Wireshark GUI. A new popup windows opens and packet count starts while not button or fields are enabled to use, including the mode that is default ASCII. After quite some time, when the packet count ends, the option are available to use. Since the goal is save the raw udp payload, change from default ascII to raw is needed and once performed, the packet count stats over, needed the same long time to end to finally complete the process

On the following post: https://ask.wireshark.org/question/70...

the proposed solution is:

tshark -r <infile> -Y "udp.stream eq <stream#>" -w <outfile>

That process is completed in some seconds for the same file that takes one but it produced an output file slightly bigger than the original tcpdump captures what is not expected and is not recognized as TS files by the softwares i have, while the file produced by the long follow the stream process are.

Also tried the -z follow,UDP,0 instead of -Y udp.stream eq. Console window started to show up the bunch of raw data, taking similar time that Gui does. At least is not needed to perform the same twice, but it produced the same output as the previous command, also not possible to use on stream analyzer neither VLC.

Study case:

tcpdump capture file size is 24MB

Using Wireshark GUI, follow UDP stream (ASCII), packet read/parse took 3 minutes Changed from display and save from ASCII to RAW, packt read/parse took less than 1 minutes Saved raw playload generated 39MB file File can be reproduced on VLC and is succefull loaded on TS analyzer

Using TShark command tshark -r <infile> -Y "udp.stream eq <stream#>" -w <outfile>, produced output file in seconds File size is slightly bigger than tcpdump capture, like 200kB Produced file cannot be reproduced and fails to be loaded on TS Analyzer

Using TShark command tshark.exe -r input.pcap -z follow,udp,raw,0 -w output.ts, produced output file in seconds, but seems to generate a loop on console filling the screen constantly with raw data of the file. File size is slightly bigger than tcpdump capture, like 200kB. Same size as the other TShark output. Produced file cannot be reproduced and fails to be loaded on TS Analyzer

Note that, go over the GUI process for small files is not a problem but big files, it would consume a good time. 3 minutes for 24M, for 500M it would take 1 hours for ASCII parse then another 20 minutes for RAW, so 1:20 to extract TS.

edit retag flag offensive close merge delete

Comments

From an earlier Ask question:
Stack Overflow post that points to mpeg_dump.lua on the Wireshark Wiki.
This Sharkfest presentation "How to Use Wireshark to Analyze Video by Betty DuBois" might help for background info.

Chuckc gravatar imageChuckc ( 2020-10-16 19:22:26 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-03-14 19:16:00 +0000

SergA gravatar image

updated 2023-03-15 07:37:18 +0000

Here is two variants how you can extract udp payload:

  • fastest method, using gstreamer:

    gst-launch-1.0 -v filesrc location="dump.pcap" ! \
  pcapparse dst-ip=239.1.10.6 dst-port=1234 ! \
  filesink location="udp_payload.ts"

    Notes:

    • pcapparse not understand _pcapng_ file format, if you have such file you can convert it in Wireshark or with mergecap: mergecap -F pcap -w dump.pcap in.pcapng;
    • pcapparse can filter packets with src-ip, src-port, dst-ip, dst-port in any combination. To see available conversations in dump run the next: tshark -nq -r dump.pcap -z conv,udp.

  • slightly slower method (but still fast relative to Wireshark's follow+export), using tshark and xxd tools:

    tshark -r "dump.pcap" -z follow,udp,raw,0 -q |
  grep -Ev '^(Follow|Filter|Node [01]): ' |
  grep -Ev '^={60,80}$' |
  xxd -r -p >"udp_payload.ts"

    Notes:

    • In the example above, tshark filters packets by "stream-index", the first one;
    • You can select packets more explicitly by setting a filter with the following pattern: follow,udp,raw,<src-ip>:<src-port>,<dst-ip>:<dst-port>;

Both methods work with MPEG TS and any other payload.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2020-10-16 17:50:42 +0000

Seen: 2,898 times

Last updated: Mar 15 '23

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2