tshark: extract rtp payload of the codec G.723 - unix

In order to extract the RTP payload from a pcap file captured by wireshark, I'm using tshark with the command
tshark -nr stream.pcap -i wlan1 -R 'rtp && ip.dst==192.168.1.64' -T fields -e rtp.payload
this succeeded with the codecs g.729 and ilbc but with the codec g.723 it wasn't the case. I think that this problem is due to the fact that the field payload of the rtp protocol doesn't exist any more (when consulting the wireshark).
Any idea of how to extract the payload of the codec g.723?

I did it this way:
used rtpxtract.pl from
here
then used ffmpeg to convert it to format user can listen to. like MP3.
ffmpeg -f g723_1 -i ${infile} ${outfile}.mp3

to solve this problem you have just to disable the protocol g723 in wireshark in the item Enabled Protocols from the Analyze menu then the field "payload" will appear in the protocol rtp and the command
tshark -nr stream.pcap -i wlan1 -R 'rtp && ip.dst==192.168.1.64' -T fields -e rtp.payload
will succeed!

Related

How to create an audio file from a Pcap file with Tshark?

I want to make audio data from a Pcap file with Tshark.
I have successfully created audio data from a Pcap file using Wireshark in RTP analysis function.
This Pcap file is created from a VoIP phone conversation.
Next time I want to do the same thing with Tshark.
What command would do that?
I read the Tshark manual to find out how.
but couldn't find it.
do i need any tools?
On Linux, extracting the RTP packets from PCAP file is possible with tshark together with shell tools tr and xxd, but then you might need other tools to convert to an audio format.
If you have a single call recording in the pcap, so all rtp packets belong to it, try with:
tshark -n -r call.pcap -2 -R rtp -T fields -e rtp.payload | tr -d '\n',':' | xxd -r -ps >call.rtp
If the pcap has the recordings from many calls, then you have to identify the calls and their RTP streams by source/destination IPs or SSRC and build the filter accordingly, for example if SSRC is 0x7f029328:
tshark -n -r call.pcap -2 -R rtp -R "rtp.ssrc == 0x7f029328" -T fields -e rtp.payload | tr -d '\n',':' | xxd -r -ps >call.rtp
Tools like sox or ffmpeg can be used to convert from call.rtp file to wav format, depending on the codec that was used in the call. If the codec was G711u (PCMU) with sample rate 8000:
sox -t ul -r 8000 -c 1 call.rtp call.wav
The audio formats supported by sox are listed by sox -h. The ffmpeg might be needed for codecs such as G729 or G722, example for G722 with sample rate 16000:
ffmpeg -f g722 -i call.rtp -acodec pcm_s16le -ar 16000 -ac 1 call.wav
These guidelines are from some brief notes I made during the past when I had similar needs, hope they are good and still valid nowadays, or at least provide the right direction to explore further.

tshark capture only dns or http traffic with specific ip adress and write to file

Hello I want to capture from a specific ip adress dns or http or http2 traffic and save it to a file.
I tried this:
tshark -i xxx -w capture-output.pcap -T fields -e ip.src -Y "ip.src == 192.168.178.xxx and (dns or http or http2)"
I get this error:
tshark: Display filters aren't supported when capturing and saving the captured packets.
Can somebody help me?
The error gives you as much information as you need - you can't use a display filter when saving a packet capture. You have two options here:
Option 1: Save the capture and use a display filter afterwards
This would look something like
# Write the initial file with incoming packets
$ tshark -i xxx -w capture-output.pcap
# Filter out the traffic we don't want
$ tshark -r capture-output.pcap -w filtered-output.pcap \
-T fields -e ip.src -Y "ip.src == 192.168.178.xxx and (dns or http or http2)"
Option 2: Use a capture filter
Use a capture filter instead. Capture filters use a special syntax that is different from display filters.
The equivalent capture filter you would want to use give your display filter is
$ tshark -w filtered.pcap -f "src net 192.168.178.0/24 and (udp port 53 or tcp port 80 or tcp port 443)"

DirectShow stream using ffmpeg point to point streaming through TCP protocol

I had set up a point-to-point stream using ffmpeg via UDP protocol and the stream worked, but there was screen tearing etc. I already tried raising the buffer size, but it did not help. This is a work network, so the UDP protocol won't work.
here is the full command:
ffmpeg -f dshow -i video="UScreenCapture" -r 30 -vcodec mpeg4 -q 12 -f mpegts udp://192.168.1.220:1234?pkt_size=188?buffer_size=65535
I've tried to make this work with TCP with no success
Here's what i've got now:
ffmpeg -f dshow -i video="UScreenCapture" -f mpegts tcp://192.168.1.194:5555
this returns an error:
real-time buffer [UScreenCapture] [Video input] too full or near too
full <323% of size: 3041280 [rtbufsize parameter]>! frame dropped!
This last message repeated xxxx times (it went up to around 1400 and I just turned it off).
I've tried to implement the -rtbufsize paremeter and raising the buffsize up to 800000000, didn't help.
I would appreciate any suggestions on how to solve this.

How can I make Wireshark filter by port when reading from standard in?

I'm piping from a RawCap-generated dump file to Wireshark in order to monitor local traffic, how can I instruct wireshark to only show traffic to a certain destination port?
I'm running RawCap in one Cygwin shell, and Wireshark in another to monitor RawCap's output:
Shell 1:
RawCap.exe -f 127.0.0.1 dumpfile.pcap
Shell 2:
# How do I tell Wireshark to show only traffic to port 10000?
tail -c +0 -f dumpfile.pcap | Wireshark.exe -k -i -
The appropriate flag for instructing wireshark to filter the displayed packets is -Y, as its man page reports:
-Y <display filter> start with the given display filter
For filtering the destination port of TCP, use tcp.dstport==X where X specifies the port.
Therefore, the full command is:
tail -c +0 -f dumpfile.pcap | wireshark -k -i - -Y "tcp.dstport==10000"
This is a good starting point for information on display filters. A full reference on the subject is available here and a detailed explanation of its syntax is available here. However, it's worth noting that most basic filters can be found via a simple online search.

How to save to file all the syn packets?

I need to have some statics (for test purpose ) on syn packet that was recieved.
I got lost with the available tools - ethreal. tshark.tcpdumt.
I want the simple tool that will not dump the complete packet only by pattern (in my case only ip, but some case i will also need payload) .
Which one from the above (or another) do the job?
If you have some patient i will be tankful for you to reference about the differences between them. didnt find good one.
I am running on Ubuntu.
The tool and the filter and the pattern all need to be from command line.
pattern can be - ip.src ip.payload
Thank you
The following tcpdump command will save all the packets to a file which have the SYN flag set and are sent to the IP address stored in the environmental variable MYIP:
MYIP=172.16.1.2
sudo tcpdump -w /tmp/syn_packets "tcp[tcpflags] & tcp-syn != 0 and dst $MYIP"
List of unique host/ports from the dump can be listed with the following command:
tcpdump -nr /tmp/syn_packets |cut -d " " -f 3 |uniq
List of packet counts per host/port can be listed with the following command:
tcpdump -nr /tmp/syn_packets |cut -d " " -f 3 |uniq -c
The packet contents will be stored in the tmp file. You can see a hex dump of the packet data with the -x option:
tcpdump -xr /tmp/syn_packets
You can dump the contents of packets from specific IPs with the following command:
REMOTEIP=6.6.6.6
tcpdump -xr /tmp/syn_packets "src $REMOTEIP"

Resources