I have a pcap file containing RTP over UDP packets Using thark 2.0.2 I can decode this using: tshark -r capture.pcap -d udp.port==1-65535,rtp -Y ip.src==xxxx -T fields -e rtp.seq Using 1.0.15 the decode fails, and though data is printed to screen, it is the undecoded UDP An obvious solution would be to upgrade tshark on the second system, but for various reasons this is problematic...is there any alternative? asked 25 Oct '16, 01:14  dbrb2 |
One Answer:
It's probably in the settings, there's one called 'Try to decode RTP outside of conversations" in the ui. You can also set this from the command line. answered 25 Oct '16, 03:04  Jaap ♦ from one of your own answers it is this i guess "-o rtp.heuristic_rtp:TRUE" (25 Oct '16, 03:06) koundi Unfortunately this fails on some streams with older wireshark. I will try to use a newer release... (25 Oct '16, 03:39) dbrb2 |
maybe this will help?
https://ask.wireshark.org/questions/10440/how-to-decode-the-udp-to-rtp-in-command-line
you might want to check this as well! https://ask.wireshark.org/questions/50226/how-to-decode-udp-as-rtp-tshark-only