Hi to all.
The Short Question:
Has anyone thought about adding an option to tshark that allows the RTP
payload to be cleared/zapped (and UDP checksum corrected) before writing
output packets to a file or to the output display? Can this be done now?
The Long of it:
I work for a Telecom Vendor were we use tshark (and other capture tools)
to capture SIP/RTP packets in our Telecom customer's networks. With
newer privacy regulations coming into play, our customers are becoming
more reluctant to provide us with the RTP packets since they contain
private conversations of their subscribers. Though, to debug some
signaling/control problems, it's important to receive at least the RTP
headers to know that the conversations have been properly established,
to test for packet jitter, etc. The RTP payloads are really only
necessary (in this case) for testing voice quality or audio encoding
problems.
I understand the trend lately has been to decode more of the RTP payload
types so that it can be saved into audio files for playback.
It would be nice if there was a capture option to tshark that would
allow the Payload of RTP packets (that are part of a SIP conversation),
to be cleared or removed before the packets are written to a file or
displayed.
The tshark/wireshark filters are more geared towards deciding whether to
include or exclude entire packets but not to manipulate them. I was
thinking of implementing this ability, but not sure where it fits. This
sounds more like it would be either a command line capture option or
more likely an RTP dissector option.
I looked through the Wish List, but haven't seen this kind of request yet.
Any thoughts about it? Is it even possible to do with current
implementation? I thought of using the capture snap length option, but
it applies to ALL packets and not just RTP. I've haven't looked at the
MATE or LUA stuff enough yet to understand if that could meet the needs.
I like tshark because of it's ability to use Display filters during
packet capture and don't want to have to switch to something like tcpdump.
Thanks in advance,
Kerry Foster