Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Extract TS files from pcap capture

The goal: Extract TS Files captured from UDP streams (multicast)

Current mode: Choose follow -> UDP stream using Wireshark GUI. A new popup windows opens and packet count starts while not button or fields are enabled to use, including the mode that is default ASCII. After quite some time, when the packet count ends, the option are available to use. Since the goal is save the raw udp payload, change from default ascII to raw is needed and once performed, the packet count stats over, needed the same long time to end to finally complete the process

On the following post: https://ask.wireshark.org/question/7092/how-can-i-export-udp-payload-without-using-the-slow-follow-udp-stream-method/

the proposed solution is: tshark -r <infile> -Y "udp.stream eq <stream#&gt;" -w="" <outfile="">

That process is completed in some seconds for the same file that takes one but it produced an output file slightly bigger than the original tcpdump captures what is not expected and is not recognized as TS files by the softwares i have, while the file produced by the long follow the stream process are.

Also tried the "-z follow,UDP,0" instead of "-Y "udp.stream eq". Console window started to show up the bunch of raw data, taking similar time that Gui does. At least is not needed to perform the same twice, but it produced the same output as the previous command, also not possible to use on stream analyzer neither VLC.

Study case:

tcpdump capture file size is 24MB

Using Wireshark GUI, follow UDP stream (ASCII), packet read/parse took 3 minutes Changed from display and save from ASCII to RAW, packt read/parse took less than 1 minutes Saved raw playload generated 39MB file File can be reproduced on VLC and is succefull loaded on TS analyzer

Using TShark command tshark -r <infile> -Y "udp.stream eq <stream#&gt;" -w="" <outfile="">, produced output file in seconds File size is slightly bigger than tcpdump capture, like 200kB Produced file cannot be reproduced and fails to be loaded on TS Analyzer

Using TShark command tshark.exe -r input.pcap -z follow,udp,raw,0 -w output.ts, produced output file in seconds, but seems to generate a loop on console filling the screen constantly with raw data of the file. File size is slightly bigger than tcpdump capture, like 200kB. Same size as the other TShark output. Produced file cannot be reproduced and fails to be loaded on TS Analyzer

Note that, go over the GUI process for small files is not a problem but big files, it would consume a good time. 3 minutes for 24M, for 500M it would take 1 hours for ASCII parse then another 20 minutes for RAW, so 1:20 to extract TS.

Extract TS files from pcap capture

The goal: Extract TS Files captured from UDP streams (multicast)

Current mode: Choose follow -> UDP stream using Wireshark GUI. A new popup windows opens and packet count starts while not button or fields are enabled to use, including the mode that is default ASCII. After quite some time, when the packet count ends, the option are available to use. Since the goal is save the raw udp payload, change from default ascII to raw is needed and once performed, the packet count stats over, needed the same long time to end to finally complete the process

On the following post: https://ask.wireshark.org/question/7092/how-can-i-export-udp-payload-without-using-the-slow-follow-udp-stream-method/

the proposed solution is: is:

tshark -r <infile> -Y "udp.stream eq <stream#&gt;" -w="" <outfile="">

<stream#>" -w <outfile>

That process is completed in some seconds for the same file that takes one but it produced an output file slightly bigger than the original tcpdump captures what is not expected and is not recognized as TS files by the softwares i have, while the file produced by the long follow the stream process are.

Also tried the "-z follow,UDP,0" "-z follow,UDP,0" instead of "-Y "udp.stream eq". "udp.stream eq". Console window started to show up the bunch of raw data, taking similar time that Gui does. At least is not needed to perform the same twice, but it produced the same output as the previous command, also not possible to use on stream analyzer neither VLC.

Study case:

tcpdump capture file size is 24MB

Using Wireshark GUI, follow UDP stream (ASCII), packet read/parse took 3 minutes Changed from display and save from ASCII to RAW, packt read/parse took less than 1 minutes Saved raw playload generated 39MB file File can be reproduced on VLC and is succefull loaded on TS analyzer

Using TShark command tshark -r <infile> -Y "udp.stream eq <stream#&gt;" -w="" <outfile="">, produced output file in seconds File size is slightly bigger than tcpdump capture, like 200kB Produced file cannot be reproduced and fails to be loaded on TS Analyzer

Using TShark command tshark.exe -r input.pcap -z follow,udp,raw,0 -w output.ts, produced output file in seconds, but seems to generate a loop on console filling the screen constantly with raw data of the file. File size is slightly bigger than tcpdump capture, like 200kB. Same size as the other TShark output. Produced file cannot be reproduced and fails to be loaded on TS Analyzer

Note that, go over the GUI process for small files is not a problem but big files, it would consume a good time. 3 minutes for 24M, for 500M it would take 1 hours for ASCII parse then another 20 minutes for RAW, so 1:20 to extract TS.

Extract TS files from pcap capture

The goal: Extract TS Files captured from UDP streams (multicast)

Current mode: Choose follow -> UDP stream using Wireshark GUI. A new popup windows opens and packet count starts while not button or fields are enabled to use, including the mode that is default ASCII. After quite some time, when the packet count ends, the option are available to use. Since the goal is save the raw udp payload, change from default ascII to raw is needed and once performed, the packet count stats over, needed the same long time to end to finally complete the process

On the following post: https://ask.wireshark.org/question/7092/how-can-i-export-udp-payload-without-using-the-slow-follow-udp-stream-method/

the proposed solution is:

tshark -r <infile> -Y "udp.stream eq <stream#>" -w <outfile>

That process is completed in some seconds for the same file that takes one but it produced an output file slightly bigger than the original tcpdump captures what is not expected and is not recognized as TS files by the softwares i have, while the file produced by the long follow the stream process are.

Also tried the "-z follow,UDP,0"follow,UDP,0 instead of "-Y "-Y udp.stream eq". . Console window started to show up the bunch of raw data, taking similar time that Gui does. At least is not needed to perform the same twice, but it produced the same output as the previous command, also not possible to use on stream analyzer neither VLC.

Study case:

tcpdump capture file size is 24MB

Using Wireshark GUI, follow UDP stream (ASCII), packet read/parse took 3 minutes Changed from display and save from ASCII to RAW, packt read/parse took less than 1 minutes Saved raw playload generated 39MB file File can be reproduced on VLC and is succefull loaded on TS analyzer

Using TShark command tshark -r <infile> -Y "udp.stream eq <stream#&gt;" -w="" <outfile="">, <stream#>" -w <outfile>, produced output file in seconds File size is slightly bigger than tcpdump capture, like 200kB Produced file cannot be reproduced and fails to be loaded on TS Analyzer

Using TShark command tshark.exe -r input.pcap -z follow,udp,raw,0 -w output.ts, output.ts, produced output file in seconds, but seems to generate a loop on console filling the screen constantly with raw data of the file. File size is slightly bigger than tcpdump capture, like 200kB. Same size as the other TShark output. Produced file cannot be reproduced and fails to be loaded on TS Analyzer

Note that, go over the GUI process for small files is not a problem but big files, it would consume a good time. 3 minutes for 24M, for 500M it would take 1 hours for ASCII parse then another 20 minutes for RAW, so 1:20 to extract TS.