Search code examples
ffmpegrtsprtptsharkpcap-ng

How To Extract RTP Packet Specific Fields From Wireshark Capture?


I have a PCAPNG file and I need to get the RTP packets from it. Specifically, one of my RTP packets looks like...

Frame N: X bytes on wire...

  • Ethernet II, Src: ...
  • IPv4, Src: ...
  • TCP, Src Port: rstp ...
  • RTSP Interleaved Frame, Channel: 0x02, 163 bytes
  • Real-Time Transport Protocol

...and what I need from each packet is...

  1. The channel from the RTSP interleaved frame
  2. The length from the RTSP interleaved frame
  3. The payload from the RTP

...using this data, I will re-create an audio and video file to re-construct the full video from a local payload (playback is not streaming).

I am able to successfully get the RTP packets using either...

tshark -r my.pcap -R -T fields -e rtp.payload -w rtp.out

or...

tshark -r my.pcap -R -T fields -e rtp.payload > rtp.out

...but the problem I am having is that the first method will save everything I need, but for some reason it will add extra data (i.e. more than just the RTP payload and RTSP interleaved frame contents) in strange places... which is preventing me from writing a program to produce the data I need to test. I attempted to remove all the extra data using several regular expressions, but there are too many different scenarios that overlap onto other valid scenarios.

The second method will provide only the RTP payload without the interleaved properties I need (it will produce the hex with a colon between each byte, but that is easily handled). Even if I could make another call to get all the RTSP interleaved frame properties, I am going to need to combine the 2 outputs by identifying each packet using a separator / delimiter, which I'd like to avoid (I couldn't get tshark to do that either...).

I looked into the tshark read filters, which seems like it should be able to do what I need, but so far I haven't been able to figure it out. Note that I am only doing this to create sample data and write the logic that formats the data required for playback. Eventually one of my co-workers will modify the streaming client to capture the data in the appropriate format (so I can simply run the data through ffmpeg without modifying it). Any ideas of how I can create the format I need?


Solution

  • the problem I am having is that the first method will save everything I need, but for some reason it will add extra data (i.e. more than just the RTP payload and RTSP interleaved frame contents) in strange places

    The first method:

    tshark -r my.pcap -R -T fields -e rtp.payload -w rtp.out
    

    should print an error, as the -R flag specifies a "read filter", and the read filter must come after the -R flag and must not begin with a - (if what follows -R begins with a -, it is interpreted as another flag), so that command does not specify a "read filter".

    If you meant, for example,

    tshark -r my.pcap -R rtp -T fields -e rtp.payload -w rtp.out
    

    that command uses the -w flag, which specifies that a binary file containing the raw packet data from my.pcap, possibly as filtered by the read filter, should be written to the file whose name is the argument to the -w flag, so that command means "write, to the file named rtp.out, all the RTP packets in my.pcap, and also write the rtp.payload field of each packet to the standard output". There is, unfortunately, a bug in TShark that suppresses the output of the rtp.payload fields to the standard output; I've just checked in a bug fix for that.

    So if you want the fields to be written to a file, you must redirect the standard output, so your second method is correct.

    I looked into the tshark read filters, which seems like it should be able to do what I need

    No. Read filters only control which packets TShark, when reading the capture file, bothers to process, rather than discarding after dissecting them.

    What you'd want would be the flags

    -e rtsp.channel -e rtsp.length
    

    but, unfortunately, those are only supported by the current 1.11.x development versions of Wireshark, not by the 1.10.x or earlier versions. I don't know which of the 1.11.x releases support them; the nightly builds will support them.