First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How can I trim or ignore the first 8 bytes of UDP payload in a capture.

A recent change to a UDP protocol is causing me grief. For this scenario a provider has added an ID in front of the RTP Header information in the payload so I can no longer dissect it correctly. Is there an easy way to trim the first 8 bytes from the UDP payload in a packet capture?

justin_wireshark_help's avatar
1
justin_wireshark_help
asked 2020-01-08 19:23:48 +0000
edit flag offensive 0 remove flag close merge delete

Comments

1

Does the RTP payload always start at the same byte offset (Eth: 14 + IP: 20 + UDP: 8 + ID data: 8 = 50 ?)
If so then you might look at "chopping" out the ID bytes with editcap -C :
https://www.wireshark.org/docs/man-pa...

Chuckc's avatar Chuckc (2020-01-08 23:05:08 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

There are (at least) two options here. One as suggested in the comment to use editcap -C, or you could create a Lua dissector which binds to the UDP port involved, which consumes the 8 extra bytes and passes the rest to the RTP dissector. This does depend on the predictability of the used ports, not having signalling protocols setting up RTP conversations.

Jaap's avatar
13.7k
Jaap
answered 2020-01-09 08:02:52 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer