Wireshark-users: [Wireshark-users] Is there a tshark option to save just RTP Header?
Hi to all.
Is it possible to control what information is being saved by tshark into
the output capture file? For instance, if tshark is using the display
filter '-R "sip or rtp"' to capture SIP and RTP packets, can I tell
tshark just to write out the RTP header-only (along with SIP packets) to
the output file? Currently, I assume I would have to run two captures;
one for SIP packets and a second for RTP with the snaplen option set to
54 to truncate those RTP (UDP) packets. And then later merge the two
captures back together. I would like to be able to do this from one
capture session (better on CPU usage).
I assume tshark does not support this capability which leads me to the
next question. If I (or someone else) were to implement this capability
(to contribute back), where would the best place be to add it? Could I
add it as a preference within the RTP dissector (something like '-o
rtp.clear_payload:TRUE')? Then from the RTP dissector, just manipulate
the tvb->real_data buffer or tvb->length based upon the preference
setting (it could simply zero out RTP payload, or maybe even modify the
UDP/RTP lengths, etc.). It looks like dissect_packet() passes a pointer
to the original packet data and not to a copied buffer, so it looks
feasible.
We (as a telecom vendor) really have a need for this kind of capability
since several telecom operators are becoming reluctant to send us their
entire SIP/RTP packets due to increasing privacy concerns. And we really
don't need the RTP payload captured unless we're diagnosing Voice
Quality/Encoding problems. In most cases, RTP Header is enough for
debugging most Signaling problems.
Any comments, concerns?
Thanks in advance,
Kerry Foster
