This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Extracting RTP payload and dumping to a ts file

0

Hi guys,

I've looked around but haven't been able to find anything that works.

How would I extract the RTP payload and dump it to a ts file via the command line interface? Through the GUI, I can simply Decode as RTP and then 'Save payload' for the filtered packets, but haven't been able to succeed with doing this through tshark.

Thanks very much! Jero

asked 16 May '13, 12:17

Sheh's gravatar image

Sheh
6113
accept rate: 0%


One Answer:

1

You could possibly do it with some scripting, by parsing the PDML output of tshark or by using the output of this command:

tshark -nr rtp.pcap -R rtp -T fields -e rtp.payload

but there are other tools that can do it for you automatically.

http://wiki.wireshark.org/RtpDumpScript
http://cpansearch.perl.org/src/SULLR/Net-Inspect-0.29/tools/rtpxtract.pl

See also my answer to a similar question:

http://ask.wireshark.org/questions/10493/can-tshark-extract-voice-data-from-an-rtp-stream

Something different, but also nice (using tshark)

http://www.e-c-group.com/software/ecg_extract_call/

Regards
Kurt

answered 16 May '13, 13:19

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 16 May '13, 13:38

Thanks a lot Kurt. I was able to get the stream to decode as RTP using the -d option as follows:

tshark -r "my.pcap" -R udp.port==<src port=""> -d udp.port==<src port="">,rtp -T fields -e rtp.payload -w "my_ts.ts"

However, at this point the dumped file is 12.9mb and does not play in VLC. If i use the RTP stream analysis "Save payload" option from the GUI, the file size is 12.1mb. I guess I need to figure out what additional content is being dumped...

(23 May '13, 16:29) Sheh

With -w "my_ts.ts" tshark writes the whole packet to disk, not the output from -T fields -e rtp.payload. So the resulting file is a pcap file, not a media file.

(24 May '13, 00:27) SYN-bit ♦♦

Oops my bad, thanks for catching that.

I was able to get the payload only to dump and convert to binary (very dirty though), but turns out the mp2t headers weren't being dumped. If I include that as a field as well, I first get a dump of all mp2t headers in a packet, followed up all the respective payloads.

At this point, it looks like I'll have to do what Kurt suggested earlier and get my scripts to parse the output and join (luckily the payloads are separated with commas so should be easily doable).

(24 May '13, 14:22) Sheh

Finally got a chance to look into this again. Ended up using a dump of the 'data' field. I then stripped the RTP headers for each packet data (first 12 bytes) using a simple python script and then converted to binary (python binascii module) after concatenating.

Thanks very much for your help guys.

(04 Jun '13, 07:36) Sheh