This is our old Q&A Site. Please post any new questions and answers at

I have a specific RTP steam that --for whatever reason-- has ICMP packets that I do not want. Because of this I cannot properly decode the pcap and run the necessary scripts. What tshark command can be used to ensure that no ICMP (only UDP) packets are extracted from the raw initial packet capture?

I have attempted the following command to try and NOT read ICMP packets:

tshark -r raw.pcap -o rtp.heuristic_rtp:TRUE -2 -R rtp.ssrc==0x62bf9a1d -O "h264 && not icmp" -w h264.pcap

...initially I had h264 alone. I have tried other filters like "-2 -R !icmp", "-2 -R not icmp". These do not work. Anyone know how to do this? In fact, not just for ICMP, how can I make sure I am ONLY getting UDP?

asked 18 Feb '16, 17:27

testname0110's gravatar image

accept rate: 75%

The ICMP packets most likely are "Destination Port Unreachable" replies to received RTP traffic before the RTP/UDP port is available/open. Normal condition.

(18 Feb '16, 19:59) Rooster_50

The -O option only controls which protocols are expanded when displayed; it does not control which protocols are written to the output file or displayed. In fact, your usage of the -O option is wrong as it should be a comma-separated list of protocols you want expanded. See the tshark man page for more information.

To achieve what you desire, try the following:

tshark -r raw.pcap -o rtp.heuristic_rtp:TRUE -Y "udp and !icmp" -O "h264" -w h264.pcap
permanent link

answered 18 Feb '16, 19:21

cmaynard's gravatar image

cmaynard ♦♦
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 18 Feb '16, 17:27

question was seen: 3,735 times

last updated: 18 Feb '16, 19:59

p​o​w​e​r​e​d by O​S​Q​A