This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

CLI or script for “Follow udp stream”?

0

I have many .pcap files of video multicast. To strip off the network info and keep just the video data, I have been manually doing the "Follow UDP stream" command, then saving those results as "raw" transport stream (.ts) files. The problem is that this is a very long process (>15 min per 250Meg file).

I have the proper filter needed to get just the frames I want from the .pcap files and can launch them from the CLI. My question is whether or not there is a method to do the "Follow UDP stream" part via CLI or script. If so, pointers or suggestions are GREATLY appreciated.

Thanks, Dave T.

asked 10 Mar '11, 11:37

DaveT's gravatar image

DaveT
1111
accept rate: 0%

Is there a layer of protocol of some kind in between the UDP and the mpeg stream?

(05 Jul '12, 14:29) rakslice

One Answer:

0

Have a look at the discussion at http://www.wireshark.org/lists/wireshark-users/200611/msg00133.html, it contains a little script I wrote that might help you out:

#!/usr/bin/perl -w

Just a little script written by Sake Blok ([email protected])

to extract udp-payload data from an udp-stream.

use strict; use English;

use Net::PcapUtils; use NetPacket::Ethernet qw(:strip); use NetPacket::IP; use NetPacket::UDP;

my $packet_nr=0;

sub process_pkt { my($arg, $hdr, $pkt) = @_;

my $ip_obj = NetPacket::IP->decode(eth_strip($pkt)); my $udp_obj = NetPacket::UDP->decode($ip_obj->{data});

$packet_nr++;

printf OUT "%s",$udp_obj->{data}; }

my $infile = shift || die "Usage: $0 <infile> <outfile>\n"; my $outfile = shift || die "Usage: $0 <infile> <outfile>\n";

open(OUT,">$outfile"); Net::PcapUtils::loop(&amp;process_pkt, (SAVEFILE => $infile, FILTER => 'udp')); close(OUT);

answered 11 Mar ‘11, 04:02

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I’ll give it a try.

Thanks!

Dave

(11 Mar ‘11, 07:34) DaveT

Converted to a comment in keeping with the philosophy of this site.

See the FAQ for further info….

(11 Mar ‘11, 07:41) Bill Meier ♦♦

With a minor modification to the perl script, one can recapture the udpflow as an rtptools dump file.

Here are the changes:

1) add “OUT->autoflush(1);” after the open statement

2) add “use IO::Handle;” to the end of the package include list

Now you can do something like this:

In one window…

$ rtpdump -Fhex localhost/60004

In another window…

$ tshark -r aaa.pcap -w- rtp | ./udpflow - - | nc -u localhost 60004

“udpflow” is our little wrapped up/chmod +x perl script. (Note: the udpflow pipeline must be run as root. I haven’t figured out how to turn off perl’s “taint mode”)

“nc” is the linux netcat command (a handy dandy general purpose tcp/udp socket utility)

The change I’ve suggested causes the udpflow script to flush its output to the nc cmd with each write thus resulting in a single udp datagram w/ rtp payload for each upd packet in the flow (rtp has no length field. an rtp packet is framed by its udp transport packet.) The rtpdump utility dumps the rec’d rtp flow as an ascii representation w/ hex payload.

From there one can pump the resulting dump file into other tools to play the media stream. (See eg. http://wiki.wireshark.org/RTP_statistics)

(16 Apr ‘12, 07:30) rroy