Wireshark mailing list archives
Re: tshark RTP decodes
From: Guy Harris <guy () alum mit edu>
Date: Mon, 3 Sep 2012 18:11:29 -0700
On Sep 3, 2012, at 5:48 PM, Joerg Mayer wrote:
On Sat, Sep 01, 2012 at 04:03:54PM +0000, Barry Constantine wrote:I know how to redecode to RTP in UI, but would like to the same at command line and extract fields....tshark -r rtp_call.pcap -o rtp.heuristic_rtp:TRUE -T fields -e rtp.seq...It accepts the -o option, but the rtp.seq field is displayed with no content.Works for me here: tshark -r rtp-only-test.pcap -o rtp.heuristic_rtp:TRUE -T fields -e rtp.seq
"rtp.heuristic_rtp:TRUE" turns on a heuristic; it's a bit of a weak heuristic, but it might still fail to recognize RTP
packets. Perhaps it's recognizing them in your capture but not in Barry's capture.
"redecode to RTP in UI", I suspect, means "use "Decode As..."", which is a manual operation, so to do it purely from
the command line you'd first have to run TShark on the capture to try to figure out what ports are being used for RTP
traffic and then re-run TShark with the appropriate "-d" flag values. If you want it done without that much user
interaction, the heuristic is about the best that can be done.
Barry, if that's what "redecode to RTP in UI" means, what happens if you *don't* use that and, instead, just enable the
heuristic in the RTP preferences? Does it recognize all the relevant packets as RTP? If so, and it's not working in
TShark, that's a weird bug; we'd need to see a capture on which it happens to try to figure it out. If not, then the
heuristic would need to be changed; when the packets *are* dissected as RTP, what are:
the version number (0, 2, or other);
the destination ports to which the packets are sent?
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- tshark RTP decodes Barry Constantine (Sep 01)
- Re: tshark RTP decodes Joerg Mayer (Sep 03)
- Re: tshark RTP decodes Guy Harris (Sep 03)
- <Possible follow-ups>
- Re: tshark RTP decodes Barry Constantine (Sep 09)
- Re: tshark RTP decodes Joerg Mayer (Sep 03)