This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have a trace where I don't need the media inside the RTP Packets. I need the RTP headers, but not the real payload.

Is it possible to discard/drop the media/payload while saving a trace?

asked 16 May '12, 09:12

Ramsundar%20Kandasamy's gravatar image

Ramsundar Ka...
6112
accept rate: 0%

edited 16 May '12, 09:54

multipleinterfaces's gravatar image

multipleinte...
1.3k152340


Yes, this is possible. You want to set the snaplen of the capture.
For captures taken using the Wireshark GUI by checking the "Limit each packet to" box and setting a sensible limit, then starting the capture (this option is accessed by using the "Capture Options" window to start the capture).
When using tshark, use the -s option (tshark -s <snaplen> ...).
For captures already taken, you can truncate each packet using editcap and the -s option (editcap -s <snaplen> ...).
I do not know offhand what the snaplen value should be for RTP, but you should be able to determine this from one of the captures you have already taken.

permanent link

answered 16 May '12, 09:53

multipleinterfaces's gravatar image

multipleinte...
1.3k152340
accept rate: 12%

Thanks a lot.

It might have been better if we have an option to set snaplen for particular payload type. Eg. If RTP then set snaplen to xx bytes.

The problem is that, if we set snaplen to zz bytes and if a non rtp (say sip signalling) packet is stripped to that size it could be a problem while analyzing a trace.

Thanks, Ram

(19 May '12, 08:16) Ramsundar Ka...

Setting the snaplen as @multipleinterfaces suggested is a good idea. If you want to truncate only specific packets (specified by a display filter), you can use the following bash script, which uses tshark and editcap.

snap.sh:

#!/bin/bash

if [ -z "$1" -o -z "$2" -o -z "$3" ]; then
    echo Usage: `basename $0` {infile} {snaplen} {displayfilter}
    exit 1
fi

# binaries
TSHARK=/opt/local/bin/tshark
EDITCAP=/opt/local/bin/editcap

# parameters
TMPFILE=$(mktemp pcap.XXXXXXXXXX)
INFILE=$1
OUTFILE=$1.out
SNAPLEN=$2
DFILTER=$3

cp "${INFILE}" "${TMPFILE}"

echo "Filtering packets..."
INPUT=$(${TSHARK} -R "${DFILTER}" -r "${INFILE}" -T fields -e frame.number)
__max=`echo ${INPUT} | wc -w`
__i=0

echo "Writing pcap..."
for x in ${INPUT[*]}
do
    # show progress
    ((__i++))
    printf "${__i}/${__max} ($((${__i}*100/${__max}))%%)\r"

    # truncate the specified packet, copy the resulting pcap
    # back to the temporary working file for the next iteration
    ${EDITCAP} -s "${SNAPLEN}" "${TMPFILE}" "${OUTFILE}" "${x}" > /dev/null
    cp "${OUTFILE}" "${TMPFILE}"
done

echo
rm "${TMPFILE}"
echo "Wrote ${OUTFILE}"

I tested the script on a sample pcap, containing SIP and RTP packets. For example, to truncate all RTP packets to 12 UDP bytes (which is the RTP header length in the sample pcap), enter this:

$ snap.sh SIP_CALL_RTP_G711.pcap 54 rtp.payload
Filtering packets...
Writing pcap...
1445/    1445 (100%)
Wrote SIP_CALL_RTP_G711.pcap.out

Note the 54 snaplen comes from the frame headers (Ethernet, IP, etc) leading up to UDP plus the length of the desired UDP payload

permanent link

answered 19 May '12, 22:26

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×238
×58

question asked: 16 May '12, 09:12

question was seen: 3,882 times

last updated: 19 May '12, 22:26

p​o​w​e​r​e​d by O​S​Q​A