Ethereal-users: Re: [Ethereal-users] Tethereal - how to save decode with -w option

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "Guy Harris" <gharris@xxxxxxxxx>
Date: Fri, 24 Feb 2006 14:32:00 -0800 (PST)
John Ciukaj (jciukaj) wrote:
> Using tethereal, I have been unable to get the decoded RTP packets to be
> written to a libpcap file suitable for re-input to the ethereal GUI.
>
> In the example below, the RTP packets are decoded from the 'original'
> udp libpcap file.  I want to save the decoded RTP stream to a new
> libpcap file but the file that is saved ends up being a copy of the
> original.  How do I do this?

Unfortunately, you can't.  There's noting in a libpcap file to specify,
for example, that traffic to and from UDP port 30000 should be dissected
as RTP; that's why tcpdump has the "-T" flag, Tethereal has the "-d" flag,
and Ethereal has the "Decode As" menu item.

A capture file doesn't have decoded packets, it just has raw packets, so
there's no notion of saving decoded packets.

You could try enabling the RTP protocol preference "Try to decode RTP
outside of conversations", which enables the "heuristic" RTP dissector. 
That might recognize your packets as RTP packets and decode them.  (It
might also conceivably recognize *non*-RTP packets as RTP packets and
*mis*-dissect them.  That's the way heuristics are....)