This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to split voip to saperate pcap files in easy way

0

Have to large pcap file. How can i get just the voip thereout. I already tried with time selection (-A -B)

asked 23 Nov '11, 10:35

tkwire's gravatar image

tkwire
1223
accept rate: 0%


One Answer:

2

In general splitting up files is easily done with editcap

editcap -c <packets per file> or editcap -i <seconds per file>

gives you two ways to split your too big capture file into smaller ones.

If you just want to filter voip out of the trace you could use tshark to grab frames matching a specific display filter and save those to a new trace like e.g. for cisco based voip with skinny as signalling protocol

tshark -r <name of your trace.pcap> -R "skinny or rtp" -w <name of the new tracefile>

answered 23 Nov '11, 13:19

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

i allready tried with editcap packets per file and seconds per file. the problem is, then i get just the first peace of voip and the next peaces are lost. (in the first file is the first peace of voip and in the next file is no voip. so i can get just about 30sec voip from a 30min. voip)

with tshark i get this error massage: This application has requested the Runtime to terminate it in an unusual way. Please contact the application’s support team for more information

my File: 733009451 bytes packets more than 139400 packets (preview timeout) format: modified tcpdump-libpcap

(24 Nov '11, 10:05) tkwire

I don't really get the problem why the "next pieces [of voip] are lost" when you use editcap. Tshark might not like the filesize of your pcap, so even if more complicated, maybe you try the following:

  • Split up the trace with editcap into smaller files (e.g. 100,000 packets per file
  • create a new folder like 'filtered' or s.th.
  • run tshark -r ... -R "rtp or skinny" -w filtered<filename> for every editcap-outfile
  • run mergecap over all your traces in the filtered directory and see if the file is small enough to open with wireshark then
(24 Nov '11, 10:25) Landi

I get this massage when i run tshark Read filters were specified both with "-R" and wit additional command-line arguments

(24 Nov '11, 11:01) tkwire