This is our old Q&A Site. Please post any new questions and answers at


i try to solve one problem.

I have one capture stream taken with tshark. In this file is many VOIP calls( SIP/RTP/G729 ).

In wireshark GUI i can do what i can, but when i try filter some call from cmd is there big problem.

When i use this:

tshark -r capturedfile -R "ip.src==" -w call.raw

I get right (SIP, UPD, TCP etc...) load in call.raw. But when i try to be more specific in -R option:

tshark -r capturedfile -R "ip.src== && rtp.ssrc==0x3A11" -w call.raw

i get all load in call.raw as UDP. I need to get RTP.

I use TShark 1.6.1 on GNU/Linux CentOS 6. Please anyone have some sugestion?

asked 04 Aug '11, 03:46

JamesBorg's gravatar image

accept rate: 0%

edited 04 Aug '11, 16:12

helloworld's gravatar image


Your filter probably excluded the call-setup packets from the trace file which Wireshark uses to know when to dissect UDP as RTP. Try setting the RTP preference "Try to decode RTP outside of conversations".

permanent link

answered 04 Aug '11, 05:53

JeffMorriss's gravatar image

JeffMorriss ♦
accept rate: 27%

thanks for ansver. I try something new :

tshark -r capturefile -R "ip.src== && udp.srcport==52140 && ip.dst== && udp.dstport==52382 && rtp.ssrc==0x9B0" -d udp.port==52140,rtp -w outstream

it is now work for me, but how can i save payload of rtp from outstream? In wireshark GUI i know (telephony -> rtp -> show all stream -> analize -> save payload) Question is how can I do this in cmd?

(04 Aug '11, 06:19) JamesBorg

That's really a new question which, coincidentally, is the same as this one.

(04 Aug '11, 06:34) JeffMorriss ♦

not same, but OK:). But no ansver there :(

(04 Aug '11, 07:00) JamesBorg

OK, sorry, sounded the same to me. Anyway, I think there's no answer because it's not possible--but I don't work with RTP.

(04 Aug '11, 07:07) JeffMorriss ♦

You can concatenate raw payloads and put them in a file. Note that this will not work all the time, for example if your RTP flow contains rfc2833/4733 DTMF or DTX packets. With the RTP preference "Try to decode RTP outside of conversations" enabled, use this :

tshark -n -r sip-rtp-g711a.pcap -R rtp -R 'rtp.ssrc == 0xd2bd4e3e' -T fields -e rtp.payload | tee payloads

You will see hexadecimal payloads. This output can then be converted to raw bytes using :

for payload in `cat payloads`; do IFS=:; for byte in $payload; do printf "\\x$byte" >> sound.raw; done; done
permanent link

answered 20 Nov '11, 09:03

guillaume%20teissier's gravatar image

guillaume te...
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 04 Aug '11, 03:46

question was seen: 6,194 times

last updated: 20 Nov '11, 09:03

p​o​w​e​r​e​d by O​S​Q​A