Ask Your Question

filtered original file with rtpevent to separate pcap file, but packets showing as UDP

asked 2024-01-04 15:44:30 +0000

updated 2024-01-04 15:46:22 +0000

grahamb gravatar image

We filtered original pcap file with display filter rtpevent and write results to separate pcap file as below,

tshark -r TestRTPSIP.pcap -Y "rtpevent" -w rtpevent.pcap

result file rtpevent.pcap have packets but displaying as udp, cant see rtpevent information.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2024-01-04 20:23:08 +0000

Jaap gravatar image

Go to Analyse | Enabled Protocols.

In the dialog that pops up fill in 'RTP' as search item.

Under the RTP item look for rtp_udp, and make sure that's checked.

Click OK to close the dialog and compare the results.

edit flag offensive delete link more


Thanks for response. By enabling this check box, I can see rtp packets, but not rtpevents in wireshark. I need option for tshark.

Balaji Ratnala gravatar imageBalaji Ratnala ( 2024-01-05 05:31:40 +0000 )edit

answered 2024-01-04 22:37:21 +0000

SYN-bit gravatar image

Another solution is to save the SDP packets in the new file too, as they contain the mapping of the dynamic payload type for the rtpevent packets (which tell the user-agents which payload type is used for rtpevent pdus, this is also how Wireshark knows to dissect these udp packets as rtpevent).

So, you could use tshark -r TestRTPSIP.pcap -Y "sdp or rtpevent" -w rtpevent.pcap and see if that solves the issue for you too.

edit flag offensive delete link more


It solves our problem, but we need only rtp and rtpevents as filter to reduce file size by excluding sip/sdp. Anyhow, if no option is there to save only rtp/rtpevents, then saving new file with sdp is only solution which we using currently. Thanks!

Balaji Ratnala gravatar imageBalaji Ratnala ( 2024-01-05 05:33:25 +0000 )edit

You can also look at the port numbers with tshark -r rtpevent.pcap -qz conv,udp and then use decode as to decode the specific ports as rtp (and thus rtpevent) with tshark -r /tmp/rtpevent.pcapng -d udp.port==<port>,rtp

SYN-bit gravatar imageSYN-bit ( 2024-01-05 12:25:15 +0000 )edit

Or use the --enable-heuristic option like this tshark -r rtpevent.pcap --enable-heuristic rtp_udp

SYN-bit gravatar imageSYN-bit ( 2024-01-05 12:36:17 +0000 )edit

--enable-heuristic and using port numbers converting to RTP packets , but cant see rtpEvent info.Can you please help if any solution for show RTPEvents(DTMF data)?

Balaji Ratnala gravatar imageBalaji Ratnala ( 2024-01-08 11:10:16 +0000 )edit

Are the rtpevent packets shown as UDP in the info column, or maybe as some other protocol. In my case they were show as DIS protocol and I needed to disable the DIS dissector. So, without your specific packets it is really hard (to impossible) to help you out (see the email address in my profile if you are able to share the pcap file)

SYN-bit gravatar imageSYN-bit ( 2024-01-08 11:26:18 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2024-01-04 15:44:30 +0000

Seen: 190 times

Last updated: Jan 04