Ask Your Question
0

How can I export UDP payload without using the slow Follow UDP Stream method

asked 2019-01-31 10:32:06 +0000

HiZ gravatar image

As per title, how can I export some UDP payload to a file quickly. The only method I know which works is to 'Follow UDP Stream, then Save As raw. The Save option is not available for a long time (file size dependant), whilst the stream is analoysed. Is there a quicker way to simply export. Unfortuntaltley the Export Packet Dissections option doesnt work as that inclides the headers.

For reference, with UDP streams which incliude RTP, the RTP Analyse and Save Unsynchronised Forward Audio Stream as raw method works very well.

Thanks!

edit retag flag offensive close merge delete

Comments

I'm also interested in finding an answer to this question for 3.x (but can't upvote due to rep). You can use the 'legacy' (gtk) interface with 2.x and it performs fine when using the follow stream feature for large streams (I was using that for capturing video streams until the linux distribution I use updated the package to 3.0.0).

With the release of 3.0.0, it looks like qt is the only option and it seems we're stuck with waiting for even moderately large streams or reverting to old software.

srainey gravatar imagesrainey ( 2019-03-26 15:48:24 +0000 )edit
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2019-05-01 03:03:44 +0000

clement-CCIE gravatar image

I have a script that automatically does extract all the MPEG 2TS streams from a pcap ,let me know I can send it over .

edit flag offensive delete link more

Comments

You may as well post it as a Github gist (or pastebin, or github repo, etc.) to better document this.

Ross Jacobs gravatar imageRoss Jacobs ( 2019-05-01 19:38:00 +0000 )edit
add a comment
0

answered 2019-03-26 17:43:28 +0000

Ross Jacobs gravatar image

This will export the UDP payload in a way you can add to a script:

tshark -r <infile> -Y "udp.stream eq <stream#>" -w <outfile>

tshark has other options for following streams like -z, and it's worth checking out the man page for more details.

In response to @srainey, I doubt that this is related to UI as tshark and wireshark both take ~3s to find a 200 packet stream in a 200MB file in my testing.

@HiZ If you continue to see a discrepancy between follow generic UDP stream and follow RTP stream, please create a bug. What we would be looking for specifically would be a way to replicate what you're finding, ideally with pcaps and all relevant info).

edit flag offensive delete link more

Comments

I think the problem is when you have a large amount of data in the filtered stream - there are times when I have to analyze mpeg2 transport streams outside wireshark. The easiest way to get the stream into an external tool is from the wireshark gui using the "Follow UDP stream" dialog (I usually have no need for the PCAP files). At the rates I'm running if I capture about 60 seconds of video (44MB, 33,000 packets), I have to wait for the qt gui to count packets for 16s before I can press the save button.

srainey gravatar imagesrainey ( 2019-03-26 18:00:36 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-01-31 10:32:06 +0000

Seen: 5,214 times

Last updated: May 01 '19

Related questions

How can I trim or ignore the first 8 bytes of UDP payload in a capture.

check udp payload in wireshark

Why would I be getting "LEN 1 (Malformed Packet)"... "(Malformed Packet: RTCP)" on UDP Packets

dell backup crash

My UDP packets aren't showing

Monitoring UDP data on wireshark shows ARP packet

How do I use the fragment_add_seq_check function in UDP packet reassembly?

Is it possible to use reassembly on non-split packets?

How do I dissect packets if the dissection depends on information from earlier packets?

What is the udp.length display filter actually for?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2