Wireshark-users: Re: [Wireshark-users] Is there a tshark option to save just RTP Header?
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 31 May 2007 17:41:57 -0700

On May 3, 2007, at 2:29 PM, Kerry L Foster wrote:

Is it possible to control what information is being saved by tshark into
the output capture file? For instance, if tshark is using the display
filter '-R "sip or rtp"' to capture SIP and RTP packets, can I tell
tshark just to write out the RTP header-only (along with SIP packets) to
the output file?

No.

Currently, I assume I would have to run two captures;
one for SIP packets and a second for RTP with the snaplen option set to
54 to truncate those RTP (UDP) packets. And then later merge the two
captures back together. I would like to be able to do this from one
capture session (better on CPU usage).

If by "CPU usage" you mean CPU usage during the capture, you would probably be best advised not to do any censoring in the capture process, and do the censoring as a post-processing operation.

I assume tshark does not support this capability which leads me to the
next question. If I (or someone else) were to implement this capability
(to contribute back), where would the best place be to add it? Could I
add it as a preference within the RTP dissector (something like '-o
rtp.clear_payload:TRUE')? Then from the RTP dissector, just manipulate
the tvb->real_data buffer or tvb->length

Manipulating tvbuffs, or their contents, in place is not allowed in dissectors (dissectors must treat them as read-only, as they have no idea what other code might expect the tvbuff to be unchanged). The real_data pointer is a const pointer by design and intent - it's *supposed* to keep you from modifying it.

You would be best advised to implement this as a tap. The tap could take a file name as an argument, and use the calls in the Wiretap library (in the "wiretap" subdirectory) to write out a new capture file. The "edt" argument to the tap points to an epan_dissect_t structure, one of the members of which is a tvbuff_t. You can *copy* the data from that tvbuff, modify it, and write that data out. The pinfo structure can be used to find time stamps, etc.. The "tree" member of the epan_dissect_t can be used to find out where the payload is in the packet, so you know where to start zeroing out the data in the copy. If no RTP payload is found, just write out the uncensored data.

Note, however, that, if an RTP packet is contained in a UDP datagram that's inside a *fragmented* IP datagram, the tap will be called with an epan_dissect_t structure with a tvbuff that refers to the *last fragment* of the datagram. There is currently no infrastructure sufficient to support "censoring" reassembled packets.

Given the limitations of the current infrastructure, you might be best advised to implement this as a plugin tap, rather than as something that's part of the Wireshark code base.