This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can I save RTP packets without the media data?

0

I have a trace where I don't need the media inside the RTP Packets. I need the RTP headers, but not the real payload.

Is it possible to discard/drop the media/payload while saving a trace?

asked 16 May '12, 09:12

Ramsundar%20Kandasamy's gravatar image

Ramsundar Ka...
6112
accept rate: 0%

edited 16 May '12, 09:54

multipleinterfaces's gravatar image

multipleinte...
1.3k152340


2 Answers:

1

Yes, this is possible. You want to set the snaplen of the capture.
For captures taken using the Wireshark GUI by checking the "Limit each packet to" box and setting a sensible limit, then starting the capture (this option is accessed by using the "Capture Options" window to start the capture).
When using tshark, use the -s option (tshark -s <snaplen> ...).
For captures already taken, you can truncate each packet using editcap and the -s option (editcap -s <snaplen> ...).
I do not know offhand what the snaplen value should be for RTP, but you should be able to determine this from one of the captures you have already taken.

answered 16 May '12, 09:53

multipleinterfaces's gravatar image

multipleinte...
1.3k152340
accept rate: 12%

Thanks a lot.

It might have been better if we have an option to set snaplen for particular payload type. Eg. If RTP then set snaplen to xx bytes.

The problem is that, if we set snaplen to zz bytes and if a non rtp (say sip signalling) packet is stripped to that size it could be a problem while analyzing a trace.

Thanks, Ram

(19 May '12, 08:16) Ramsundar Ka...

2

Setting the snaplen as @multipleinterfaces suggested is a good idea. If you want to truncate only specific packets (specified by a display filter), you can use the following bash script, which uses tshark and editcap.

snap.sh:

#!/bin/bash

if [ -z "$1" -o -z "$2" -o -z "$3" ]; then echo Usage: basename $0 {infile} {snaplen} {displayfilter} exit 1 fi

binaries

TSHARK=/opt/local/bin/tshark EDITCAP=/opt/local/bin/editcap

parameters

TMPFILE=$(mktemp pcap.XXXXXXXXXX) INFILE=$1 OUTFILE=$1.out SNAPLEN=$2 DFILTER=$3

cp "${INFILE}" "${TMPFILE}"

echo "Filtering packets…" INPUT=$(${TSHARK} -R "${DFILTER}" -r "${INFILE}" -T fields -e frame.number) __max=echo ${INPUT} | wc -w __i=0

echo "Writing pcap…" for x in ${INPUT[*]} do # show progress ((__i++)) printf "${__i}/${__max} ($((${__i}*100/${__max}))%%)\r"

# truncate the specified packet, copy the resulting pcap
# back to the temporary working file for the next iteration
${EDITCAP} -s &quot;${SNAPLEN}&quot; &quot;${TMPFILE}&quot; &quot;${OUTFILE}&quot; &quot;${x}&quot; &gt; /dev/null
cp &quot;${OUTFILE}&quot; &quot;${TMPFILE}&quot;

done

echo rm "${TMPFILE}" echo "Wrote ${OUTFILE}"

I tested the script on a sample pcap, containing SIP and RTP packets. For example, to truncate all RTP packets to 12 UDP bytes (which is the RTP header length in the sample pcap), enter this:

$ snap.sh SIP_CALL_RTP_G711.pcap 54 rtp.payload
Filtering packets…
Writing pcap…
1445/    1445 (100%)
Wrote SIP_CALL_RTP_G711.pcap.out

Note the 54 snaplen comes from the frame headers (Ethernet, IP, etc) leading up to UDP plus the length of the desired UDP payload

answered 19 May ‘12, 22:26

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%