How to extract a single voip call from a pcap with many using the display filter.
asked 05 Mar '15, 03:47
edited 18 Mar '15, 07:33
Being a VoIP support tech there have been numerous occasions where I've had to extract just one call from a pcap with 100's of calls.
This is not any easy task. After a lot of googling around I haven't found this process documented yet.
Having spent a couple of hours on it I've found a way of using the display filter to filter for the ssrc and Call-ID values and thought I'd share this with you guys:
1 - Open wireshark and find the desired call by navigating to Telephony -> VoIP Calls. Then click the Flow button to get the call flow.
2 - Click on the Invite (or any other SIP message) and drill down to the message header and copy the call-ID value. Alternatively you could click 'prepare filter' in the above dialog to automagically prepare a filter with the Call-ID.
3 - Select an RTP packet on each stream and note down the Synchronization Source identifier (ssrc) value for all streams.
4 - Use the following display filter and enter the values copied from the previous steps (or modify the existing filter if you clicked 'prepare filter' above:
rtcp.senderssrc==[ssrcvalue1] or rtcp.senderssrc==[ssrcvalue2] or rtp.ssrc==[ssrcvalue1] or rtp.ssrc==[ssrcvalue2] or sip.Call-ID==[Call ID]
5 - Navigate to File -> Export Specified Packets and make sure that the 'Displayed' radio button is highlighted, give it a file name and save the file.
Note that you might need to decode the UDP packets as RTP when you open the file on another workstation.
I hope this saves you guys some time, I've been trying to figure this out on and off for a while now. Any suggestions on making the process less of a PITA or better are welcome.
Peace out :)
answered 18 Mar '15, 07:32