This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decoding UDP to RTP in old versions of tshark

0

I have a pcap file containing RTP over UDP packets Using thark 2.0.2 I can decode this using:

tshark -r capture.pcap -d udp.port==1-65535,rtp -Y ip.src==xxxx -T fields -e rtp.seq

Using 1.0.15 the decode fails, and though data is printed to screen, it is the undecoded UDP

An obvious solution would be to upgrade tshark on the second system, but for various reasons this is problematic...is there any alternative?

asked 25 Oct '16, 01:14

dbrb2's gravatar image

dbrb2
11446
accept rate: 0%

(25 Oct '16, 02:54) koundi

One Answer:

0

It's probably in the settings, there's one called 'Try to decode RTP outside of conversations" in the ui. You can also set this from the command line.

answered 25 Oct '16, 03:04

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

from one of your own answers it is this i guess "-o rtp.heuristic_rtp:TRUE"

(25 Oct '16, 03:06) koundi

Unfortunately this fails on some streams with older wireshark.

I will try to use a newer release...

(25 Oct '16, 03:39) dbrb2