Im trying to run TShark with a loopback capture and get a table of RTP statistics using: c:\tshark.exe -q -r <pcap file=""> -z rtp,streams. for some reason I get an empty table. This is not the case for a non-loopback pcap file. if I open the file with wireshark and decode as RTP I can see the RTP streams. Does anyone know why I can't get the statistics for this file?? asked 29 Apr '13, 04:37  Guy |
One Answer:
if you have to 'Decode as..' in Wireshark, you'll have to do that in tshark as well, otherwise tshark will not realize that there are any RTP packets.
Replace the port 5555 by whatever is used in your environment. Regards answered 29 Apr '13, 08:50  Kurt Knochner ♦ edited 29 Apr '13, 08:53 |
Hi Kurt,
Thanks for your reply! the problem is that the udp port is not something I can know in advance. This is why Im using " -o rtp.heuristic_rtp:TRUE" but for some reason it works on all pcap's except for a loopback capture. Do you know if there is a way to use -d udp.port==xxxx for all ports in the pcap file??
Thanks, Guy
can you post a sample capture somewhere?
well, you could run tshark twice within a script. First, get all ports, then call tshark with multiple -d options for all ports in the capture file.