Wireshark-users: [Wireshark-users] Is there a tshark option to save just RTP Header?
From: Kerry L Foster <klfoster@xxxxxxxxxxxxxxxxxx>
Date: Thu, 03 May 2007 17:29:24 -0400
Hi to all.

Is it possible to control what information is being saved by tshark into the output capture file? For instance, if tshark is using the display filter '-R "sip or rtp"' to capture SIP and RTP packets, can I tell tshark just to write out the RTP header-only (along with SIP packets) to the output file? Currently, I assume I would have to run two captures; one for SIP packets and a second for RTP with the snaplen option set to 54 to truncate those RTP (UDP) packets. And then later merge the two captures back together. I would like to be able to do this from one capture session (better on CPU usage).

I assume tshark does not support this capability which leads me to the next question. If I (or someone else) were to implement this capability (to contribute back), where would the best place be to add it? Could I add it as a preference within the RTP dissector (something like '-o rtp.clear_payload:TRUE')? Then from the RTP dissector, just manipulate the tvb->real_data buffer or tvb->length based upon the preference setting (it could simply zero out RTP payload, or maybe even modify the UDP/RTP lengths, etc.). It looks like dissect_packet() passes a pointer to the original packet data and not to a copied buffer, so it looks feasible.

We (as a telecom vendor) really have a need for this kind of capability since several telecom operators are becoming reluctant to send us their entire SIP/RTP packets due to increasing privacy concerns. And we really don't need the RTP payload captured unless we're diagnosing Voice Quality/Encoding problems. In most cases, RTP Header is enough for debugging most Signaling problems.

Any comments, concerns?

Thanks in advance,
Kerry Foster