Wireshark-dev: [Wireshark-dev] Wishlist: Ability to clear/zap RTP payload during capture

From: Kerry L Foster <klfoster@xxxxxxxxxxxxxxxxxx>
Date: Wed, 18 Apr 2007 16:21:32 -0400
Hi to all.

The Short Question:

Has anyone thought about adding an option to tshark that allows the RTP payload to be cleared/zapped (and UDP checksum corrected) before writing output packets to a file or to the output display? Can this be done now?

The Long of it:

I work for a Telecom Vendor were we use tshark (and other capture tools) to capture SIP/RTP packets in our Telecom customer's networks. With newer privacy regulations coming into play, our customers are becoming more reluctant to provide us with the RTP packets since they contain private conversations of their subscribers. Though, to debug some signaling/control problems, it's important to receive at least the RTP headers to know that the conversations have been properly established, to test for packet jitter, etc. The RTP payloads are really only necessary (in this case) for testing voice quality or audio encoding problems.

I understand the trend lately has been to decode more of the RTP payload types so that it can be saved into audio files for playback.

It would be nice if there was a capture option to tshark that would allow the Payload of RTP packets (that are part of a SIP conversation), to be cleared or removed before the packets are written to a file or displayed.

The tshark/wireshark filters are more geared towards deciding whether to include or exclude entire packets but not to manipulate them. I was thinking of implementing this ability, but not sure where it fits. This sounds more like it would be either a command line capture option or more likely an RTP dissector option.

I looked through the Wish List, but haven't seen this kind of request yet.

Any thoughts about it? Is it even possible to do with current implementation? I thought of using the capture snap length option, but it applies to ALL packets and not just RTP. I've haven't looked at the MATE or LUA stuff enough yet to understand if that could meet the needs. I like tshark because of it's ability to use Display filters during packet capture and don't want to have to switch to something like tcpdump.

Thanks in advance,
Kerry Foster