Ask Your Question

tshark fails to extract RTP data from pcap even if it is available

asked 2024-07-03 16:02:22 +0000

nkdev89 gravatar image

updated 2024-07-03 16:11:13 +0000

Using the command:

tshark.exe -r fplay_SVS.pcapng -Y "udp.port==42993 && rtp" -T fields -e rtp.payload > rtp_payload_hex.raw

I use this command to extract the rtp payload. This command worked fine 2 days back . But all of sudden it stopped working . And its extracting a file with zero size.

Something went wrong with my system updates or tshark ? .

Not sure how to get it working.

Note : The same input file I can use it on the wireshark and able to extract the rtp_payload, But I need to automate so i cant use wireshark.

edit retag flag offensive close merge delete


Can you try it using aaa.pcap from the Wiki Sample Captures.
tshark -r aaa.pcap -Y "udp.port==30000 && rtp" -T fields -e rtp.payload

Chuckc gravatar imageChuckc ( 2024-07-03 16:22:10 +0000 )edit

Does adding -2 help?

cmaynard gravatar imagecmaynard ( 2024-07-03 16:31:00 +0000 )edit

yes it created a 3kb file

nkdev89 gravatar imagenkdev89 ( 2024-07-03 16:35:36 +0000 )edit

I already tried -2 , didnt help

nkdev89 gravatar imagenkdev89 ( 2024-07-03 16:36:04 +0000 )edit

Can you share a pcap that doesn't extract?
Is it possible that tshark and Wireshark are using different profiles?
Try testing with the individual pieces of your filter to see if the port changed (-Y "udp.port==42993") or rtp not being found (-Y "rtp").

Chuckc gravatar imageChuckc ( 2024-07-03 16:40:29 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2024-07-05 13:22:50 +0000

nkdev89 gravatar image

Added decode information : -d udp.port==42993,rtp and it solved my issue. Thank you @Chuckc and @cmaynard for the support.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2024-07-03 16:02:22 +0000

Seen: 101 times

Last updated: Jul 05