tshark parse AMR-WB instead AMR

asked 2025-10-16 20:58:07 +0000

el_tyi
1 ●1 ●1

updated 2025-10-17 01:16:45 +0000

Chuckc
3133 ●6 ●648 ●20

Hi! I catch a problem when used command

tshark -r from_test.pcap --enable-protocol rtp -d rtp.pt==112,amr -O amr

I got the following output:

Adaptive Multi-Rate
    [Payload decoded as: RFC 3267 bandwidth-efficient mode (1)]
    0100 .... = CMR: AMR-WB 15.85 kbit/s (4)
    .... 0... = F bit: Last frame in this payload
    .... .000  0... .... = FT bits: AMR-WB 6.60 kbit/s (0) / Frame OK
    .1.. .... = Q bit: Ok
    Error: 13 Bytes available, 17 would be needed!
        [Expert Info (Error/Malformed): Error: 13 Bytes available, 17 would be needed!]
            [Error: 13 Bytes available, 17 would be needed!]
            Message: Error: 13 Bytes available, 17 would be needed!
            [Severity level: Error]
            [Group: Malformed]
        Malformed Packet
[Malformed Packet: AMR]

However, I expected to get AMR instead of AMR-WB, like in Wireshark:

Adaptive Multi-Rate
    [Payload decoded as: RFC 3267 bandwidth-efficient mode (1)]
    0010 .... = CMR: AMR 5,90 kbit/s (2)
    .... 0... = F bit: Last frame in this payload
    .... .001  0... .... = FT bits: AMR 5,90 kbit/s (2) / Frame OK
    .1.. .... = Q bit: Ok
    Frame Data: 7a567cd7f7f97a599ffef022206022

Both outputs from same pcap. What am I doing wrong while using tshark? tshark version is 4.2.3

edit retag flag offensive close merge delete

Comments

Are tshark and wireshark the same version?
Are you using the same profile for each?
Do you get same output when using -C option to specify profile to load with tshark?

Chuckc ( 2025-10-17 01:29:33 +0000 )edit

same versions I have exported profile from the Wireshark. In file decode_as_entries it has

# "Decode As" entries file for Wireshark 4.2.3.
#
# This file is regenerated each time "Decode As" preferences
# are saved within Wireshark. Making manual changes should be safe,
# however.
decode_as_entry: rtp.pt,112,(none),AMR
decode_as_entry: udp.port,34000,(none),RTP
decode_as_entry: udp.port,4000,ICQ,RTP

tshark I start without any profiles, just with options --enable-protocol rtp -d rtp.pt==112,amr -O amr

el_tyi ( 2025-10-17 07:09:04 +0000 )edit

Thank you! I have run tshark -C and see expected info in AMR layer! But why thshark doesn't work without -C, just with -d rtp.pt==112,amr

el_tyi ( 2025-10-17 08:12:54 +0000 )edit

Tshark uses the default profile without -C, not the last used profile the way Wireshark does

johnthacker ( 2025-10-17 15:16:53 +0000 )edit

see more comments

0

answered 2025-10-17 09:27:43 +0000

el_tyi
1 ●1 ●1

updated 2025-10-17 13:01:46 +0000

Chuckc
3133 ●6 ●648 ●20

I'v found solution of my problem - need use -o option like this
tshark -r amr_nb.pcap -o amr.mode:AMR-NB --enable-protocol rtp -d rtp.pt==112,amr -O amr

Adaptive Multi-Rate
    [Payload decoded as: RFC 3267 bandwidth-efficient mode (1)]
    0010 .... = CMR: AMR 5,90 kbit/s (2)
    .... 0... = F bit: Last frame in this payload
    .... .001  0... .... = FT bits: AMR 5,90 kbit/s (2) / Frame OK
    .1.. .... = Q bit: Ok
    Frame Data: 7a567cd7f7f97a599ffef022206022

Thank all for support

edit flag offensive delete link

add a comment

0

answered 2025-10-16 22:56:00 +0000

johnthacker
321 ●59 ●6

Try using -d rtp.pt=112,amr_wb instead in that command.

edit flag offensive delete link

Comments

It doesn’t solve the problem. I need correct AMR narrowband representation at AMR layer. Not AMR WB

el_tyi ( 2025-10-17 01:03:33 +0000 )edit

I am sorry, I misread what you wrote. Yes, the problem is in your preferences.

johnthacker ( 2025-10-17 15:14:49 +0000 )edit

add a comment

tshark parse AMR-WB instead AMR

Comments

2 Answers

Comments

Your Answer

Question Tools

Stats

Related questions

tshark parse AMR-WB instead AMR edit

Comments

2 Answers

Comments

Your Answer

Question Tools

Stats

Related questions

tshark parse AMR-WB instead AMR