This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Readout CSV trace

0

Hello, I would like to readout a Wireshark CSV file and detect the received and lost RTP packets. Is that even possible with Wireshark? Many thanks in advance. :)

asked 06 Feb '14, 14:29

kvmannila's gravatar image

kvmannila
16113
accept rate: 0%

What is a Wireshark CSV file?

(06 Feb '14, 23:53) Kurt Knochner ♦

It's a trace exported as a csv file. But any "readable" file format would be OK.

(07 Feb '14, 00:08) kvmannila

One Answer:

0

If you are just interested in the amount of lost RTP frames, you can use the Wireshark statistics.

Wireshark GUI:

Take a look at the RTP statistics.

Telephony -> RTP -> Show all Streams

The output of that contains information about

  • different RTP streams
  • number of frames received
  • number of lost frames
  • jitter
  • etc.

The same can be achieved with tshark

tshark:

tshark -nr sip_rtp.pcap -z rtp,streams

Output:

========================= RTP Streams ========================
    Src IP addr  Port    Dest IP addr  Port       SSRC          Payload  Pkts         Lost   Max Delta(ms)  Max Jitter(ms) Mean Jitter(ms) P
roblems?
   200.57.7.204  8000    200.57.7.196 40376 0xD2BD4E3E ITU-T G.711 PCMA   548     0 (0.0%)         5843.74            7.41            2.60
   200.57.7.196 40376    200.57.7.204  8000 0x58F33DEA ITU-T G.711 PCMA   891     0 (0.0%)          379.90            0.25            0.10
   200.57.7.202 30000    200.57.7.196 40362 0x00002E3D ITU-T G.711 PCMA     6     0 (0.0%)           30.04            0.64            1.74
==============================================================

If that is sufficient for you, consider it as my answer to your question.

If you want to know exactly which RTP frame is missing (based on the sequence number), I suggest to use tshark

tshark -nr sip_rtp.pcap -R "rtp" -T fields -e frame.number -e ip.src -e ip.dst -e udp.srcport -e udp.dstport -e rtp.seq -e rtp.extseq -E header=y -E separator=;

Output:

frame.number;ip.src;ip.dst;udp.srcport;udp.dstport;rtp.seq;rtp.extseq
499;200.57.7.204;200.57.7.196;8000;40376;1;65537
500;200.57.7.204;200.57.7.196;8000;40376;2;65538
515;200.57.7.204;200.57.7.196;8000;40376;3;65539
522;200.57.7.196;200.57.7.204;40376;8000;11331;76867
524;200.57.7.204;200.57.7.196;8000;40376;4;65540
528;200.57.7.196;200.57.7.204;40376;8000;11332;76868
530;200.57.7.204;200.57.7.196;8000;40376;5;65541
534;200.57.7.196;200.57.7.204;40376;8000;11333;76869
535;200.57.7.204;200.57.7.196;8000;40376;6;65542
538;200.57.7.196;200.57.7.204;40376;8000;11334;76870
540;200.57.7.196;200.57.7.204;40376;8000;11335;76871

Then parse the output with a script (perl, python, whatever) and check if there is a frame missing for a certain RTP stream. You can use the IP addresses and the ports to distinguish streams and the sequence numbers to find missing frames (sequence number missing).

Obviously you can do the same with your exported CSV file, but the tshark output is easier to parse as it only contains what you need. And you can always add new fields to the output as you need them ( tshark -e xxxx)

http://www.wireshark.org/docs/dfref/r/rtp.html

Regards
Kurt

answered 07 Feb '14, 02:50

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 07 Feb '14, 03:11

Thanks, that seems to be exactly what I want.

(07 Feb '14, 08:37) kvmannila

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(07 Feb '14, 09:51) grahamb ♦