First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

filtered original file with rtpevent to separate pcap file, but packets showing as UDP

We filtered original pcap file with display filter rtpevent and write results to separate pcap file as below,

tshark -r TestRTPSIP.pcap -Y "rtpevent" -w rtpevent.pcap

result file rtpevent.pcap have packets but displaying as udp, cant see rtpevent information.

Balaji Ratnala's avatar
1
Balaji Ratnala
asked 2024-01-04 15:44:30 +0000
grahamb's avatar
23.8k
grahamb
updated 2024-01-04 15:46:22 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

Another solution is to save the SDP packets in the new file too, as they contain the mapping of the dynamic payload type for the rtpevent packets (which tell the user-agents which payload type is used for rtpevent pdus, this is also how Wireshark knows to dissect these udp packets as rtpevent).

So, you could use tshark -r TestRTPSIP.pcap -Y "sdp or rtpevent" -w rtpevent.pcap and see if that solves the issue for you too.

SYN-bit's avatar
18.5k
SYN-bit
answered 2024-01-04 22:37:21 +0000
edit flag offensive 0 remove flag delete link
more

Comments

It solves our problem, but we need only rtp and rtpevents as filter to reduce file size by excluding sip/sdp. Anyhow, if no option is there to save only rtp/rtpevents, then saving new file with sdp is only solution which we using currently. Thanks!

Balaji Ratnala's avatar Balaji Ratnala (2024-01-05 05:33:25 +0000) edit
more
  • delete

You can also look at the port numbers with tshark -r rtpevent.pcap -qz conv,udp and then use decode as to decode the specific ports as rtp (and thus rtpevent) with tshark -r /tmp/rtpevent.pcapng -d udp.port==<port>,rtp

SYN-bit's avatar SYN-bit (2024-01-05 12:25:15 +0000) edit
more
  • delete

Or use the --enable-heuristic option like this tshark -r rtpevent.pcap --enable-heuristic rtp_udp

SYN-bit's avatar SYN-bit (2024-01-05 12:36:17 +0000) edit
more
  • delete

--enable-heuristic and using port numbers converting to RTP packets , but cant see rtpEvent info.Can you please help if any solution for show RTPEvents(DTMF data)?

Balaji Ratnala's avatar Balaji Ratnala (2024-01-08 11:10:16 +0000) edit
more
  • delete

Are the rtpevent packets shown as UDP in the info column, or maybe as some other protocol. In my case they were show as DIS protocol and I needed to disable the DIS dissector. So, without your specific packets it is really hard (to impossible) to help you out (see the email address in my profile if you are able to share the pcap file)

SYN-bit's avatar SYN-bit (2024-01-08 11:26:18 +0000) edit
more
  • delete
add a comment see more comments
0

Go to Analyse | Enabled Protocols.

In the dialog that pops up fill in 'RTP' as search item.

Under the RTP item look for rtp_udp, and make sure that's checked.

Click OK to close the dialog and compare the results.

Jaap's avatar
13.7k
Jaap
answered 2024-01-04 20:23:08 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for response. By enabling this check box, I can see rtp packets, but not rtpevents in wireshark. I need option for tshark.

Balaji Ratnala's avatar Balaji Ratnala (2024-01-05 05:31:40 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer