How to extract a single voip call from a pcap with many using the display filter. asked 05 Mar '15, 03:47  tarmongaidon edited 18 Mar '15, 07:33 |
One Answer:
Hi All, Being a VoIP support tech there have been numerous occasions where I've had to extract just one call from a pcap with 100's of calls. This is not any easy task. After a lot of googling around I haven't found this process documented yet. Having spent a couple of hours on it I've found a way of using the display filter to filter for the ssrc and Call-ID values and thought I'd share this with you guys: 1 - Open wireshark and find the desired call by navigating to Telephony -> VoIP Calls. Then click the Flow button to get the call flow.
2 - Click on the Invite (or any other SIP message) and drill down to the message header and copy the call-ID value. Alternatively you could click 'prepare filter' in the above dialog to automagically prepare a filter with the Call-ID.
3 - Select an RTP packet on each stream and note down the Synchronization Source identifier (ssrc) value for all streams.
4 - Use the following display filter and enter the values copied from the previous steps (or modify the existing filter if you clicked 'prepare filter' above: rtcp.senderssrc==[ssrcvalue1] or rtcp.senderssrc==[ssrcvalue2] or rtp.ssrc==[ssrcvalue1] or rtp.ssrc==[ssrcvalue2] or sip.Call-ID==[Call ID] 5 - Navigate to File -> Export Specified Packets and make sure that the 'Displayed' radio button is highlighted, give it a file name and save the file. Note that you might need to decode the UDP packets as RTP when you open the file on another workstation. I hope this saves you guys some time, I've been trying to figure this out on and off for a while now. Any suggestions on making the process less of a PITA or better are welcome. Peace out :) answered 18 Mar '15, 07:32 tarmongaidon |
What's wrong with clicking 'Prepare filter' in the first dialog?
Absolutely nothing Jaap, that's a better way of getting the call ID. Is there an easier way of getting the ssrc value?
Could you please the text of your question as an answer to the question, and then edit the text of the question as "How do I display one VoIP call in a capture with multiple calls?" or something such as that, so that the actual answer shows up as an answer and this shows up as an answered question; that better fits the way Q&A sites are intended to be used, and would allow alternative answers (e.g., if MATE could be somehow used for this).