I want to make audio data from a Pcap file with Tshark.
I have successfully created audio data from a Pcap file using Wireshark in RTP analysis function.
This Pcap file is created from a VoIP phone conversation.
Next time I want to do the same thing with Tshark.
What command would do that?
I read the Tshark manual to find out how.
but couldn't find it.
do i need any tools?
On Linux, extracting the RTP packets from PCAP file is possible with tshark together with shell tools tr and xxd, but then you might need other tools to convert to an audio format.
If you have a single call recording in the pcap, so all rtp packets belong to it, try with:
tshark -n -r call.pcap -2 -R rtp -T fields -e rtp.payload | tr -d '\n',':' | xxd -r -ps >call.rtp
If the pcap has the recordings from many calls, then you have to identify the calls and their RTP streams by source/destination IPs or SSRC and build the filter accordingly, for example if SSRC is 0x7f029328:
tshark -n -r call.pcap -2 -R rtp -R "rtp.ssrc == 0x7f029328" -T fields -e rtp.payload | tr -d '\n',':' | xxd -r -ps >call.rtp
Tools like sox or ffmpeg can be used to convert from call.rtp file to wav format, depending on the codec that was used in the call. If the codec was G711u (PCMU) with sample rate 8000:
sox -t ul -r 8000 -c 1 call.rtp call.wav
The audio formats supported by sox are listed by sox -h. The ffmpeg might be needed for codecs such as G729 or G722, example for G722 with sample rate 16000:
ffmpeg -f g722 -i call.rtp -acodec pcm_s16le -ar 16000 -ac 1 call.wav
These guidelines are from some brief notes I made during the past when I had similar needs, hope they are good and still valid nowadays, or at least provide the right direction to explore further.
Related
I am trying to Convert the *.rtpdump file, created by Wireshark into wav file by Sox.
In Wireshark the original file is played without any tatering sound in the audio file, but when I convert it to wav file via SOX (on Windows), there is continuous tatering sound throughout the clip and the actual voice remains in background.
I tried the u-law encoding, a-law and others, the best it can get is with u-law, but it's also not so much audible. I tried the lowpass, gain, treble things but that also is not helping, changing channels, bit rate and other options make it worse.
Tried many things but tatering is not going
sox.exe -t raw -r 8000 -e u-law -c 1 66.rtpdump -t wav d:\out.wav -V
sox.exe -t raw -r 8000 -e a-law -c 1 66.rtpdump -t wav d:\out.wav -V
The first few bytes within each packet are causing this tatering sound.
I removed these bytes and the combined all the packets without these bytes to create a tatering free sound.
Using tcpdump, I am capturing network traffic. I am interested in extracting the actual TCP payload data, i.e. HTTP traffic in my particular case.
I tried to achieve that using scapy, but I only found function remove_payload(). Is there a corresponding counterpart? Or do you know of any other tools that provide such functionality?
Unfortunately, I did not find a satisfactory scapy documentation.
You can read a pcap with Scapy easily with rdpcap, you can then use the Raw (right above TCP) layer of your packets to play with HTTP content:
from scapy.all import *
pcap = rdpcap("my_file.pcap")
for pkt in pcap:
if Raw in pkt:
print pkt[Raw]
In case other users might have similar questions: I ended up using the following script:
infile=infile.pcap
outfile=outfile
ext=txt
rm -f ${outfile}_all.${ext}
for stream in $(tshark -nlr $infile -Y tcp.flags.syn==1 -T fields -e tcp.stream | sort -n | uniq | sed 's/\r//')
do
echo "Processing stream $stream: ${outfile}_${stream}.${ext}"
tshark -nlr $infile -qz "follow,tcp,raw,$stream" | tail -n +7 | sed 's/^\s\+//g' | xxd -r -p | tee ${outfile}_${stream}.${ext} >> ${outfile}_all.${ext}
done
In order to extract the RTP payload from a pcap file captured by wireshark, I'm using tshark with the command
tshark -nr stream.pcap -i wlan1 -R 'rtp && ip.dst==192.168.1.64' -T fields -e rtp.payload
this succeeded with the codecs g.729 and ilbc but with the codec g.723 it wasn't the case. I think that this problem is due to the fact that the field payload of the rtp protocol doesn't exist any more (when consulting the wireshark).
Any idea of how to extract the payload of the codec g.723?
I did it this way:
used rtpxtract.pl from
here
then used ffmpeg to convert it to format user can listen to. like MP3.
ffmpeg -f g723_1 -i ${infile} ${outfile}.mp3
to solve this problem you have just to disable the protocol g723 in wireshark in the item Enabled Protocols from the Analyze menu then the field "payload" will appear in the protocol rtp and the command
tshark -nr stream.pcap -i wlan1 -R 'rtp && ip.dst==192.168.1.64' -T fields -e rtp.payload
will succeed!
I need to have some statics (for test purpose ) on syn packet that was recieved.
I got lost with the available tools - ethreal. tshark.tcpdumt.
I want the simple tool that will not dump the complete packet only by pattern (in my case only ip, but some case i will also need payload) .
Which one from the above (or another) do the job?
If you have some patient i will be tankful for you to reference about the differences between them. didnt find good one.
I am running on Ubuntu.
The tool and the filter and the pattern all need to be from command line.
pattern can be - ip.src ip.payload
Thank you
The following tcpdump command will save all the packets to a file which have the SYN flag set and are sent to the IP address stored in the environmental variable MYIP:
MYIP=172.16.1.2
sudo tcpdump -w /tmp/syn_packets "tcp[tcpflags] & tcp-syn != 0 and dst $MYIP"
List of unique host/ports from the dump can be listed with the following command:
tcpdump -nr /tmp/syn_packets |cut -d " " -f 3 |uniq
List of packet counts per host/port can be listed with the following command:
tcpdump -nr /tmp/syn_packets |cut -d " " -f 3 |uniq -c
The packet contents will be stored in the tmp file. You can see a hex dump of the packet data with the -x option:
tcpdump -xr /tmp/syn_packets
You can dump the contents of packets from specific IPs with the following command:
REMOTEIP=6.6.6.6
tcpdump -xr /tmp/syn_packets "src $REMOTEIP"
Ok, i have this Cap file that i captured with Wireshark. There are multiple WEP keys which can be retrieved from the file.
Is there a way, using Wireshark or aircrack-ng, to know exactly how many wep keys that are available in that Pcap file ?
Edit: not the Wep passwords, just the number of Wep keys available.
Wireshark has a display/filter field named wlan.wep.key.
So: Using tshark with a display filter and wc as follows might give you the desired result (altho i haven't tried it):
tshark -R wlan.wep.key -r <filename> | wc -l
Note: I don't know if there can be more than 1 WEP key in a frame. If so then the above won't give the right count.
tshark -R wlan.wep.key -Tfields -eframe.number -r <filename> should show just the frame numbers of all the frames with WEP keys.
tshark -R wlan.wep.key -Tfields -eframe.number -ewlan.wep.key -r <filename> will print out all the keys (even if more than 1 per frame).