Hi to all.
Is it possible to control what information is being saved by tshark into
the output capture file? For instance, if tshark is using the display
filter '-R "sip or rtp"' to capture SIP and RTP packets, can I tell
tshark just to write out the RTP header-only (along with SIP packets) to
the output file? Currently, I assume I would have to run two captures;
one for SIP packets and a second for RTP with the snaplen option set to
54 to truncate those RTP (UDP) packets. And then later merge the two
captures back together. I would like to be able to do this from one
capture session (better on CPU usage).
I assume tshark does not support this capability which leads me to the
next question. If I (or someone else) were to implement this capability
(to contribute back), where would the best place be to add it? Could I
add it as a preference within the RTP dissector (something like '-o
rtp.clear_payload:TRUE')? Then from the RTP dissector, just manipulate
the tvb->real_data buffer or tvb->length based upon the preference
setting (it could simply zero out RTP payload, or maybe even modify the
UDP/RTP lengths, etc.). It looks like dissect_packet() passes a pointer
to the original packet data and not to a copied buffer, so it looks
feasible.
We (as a telecom vendor) really have a need for this kind of capability
since several telecom operators are becoming reluctant to send us their
entire SIP/RTP packets due to increasing privacy concerns. And we really
don't need the RTP payload captured unless we're diagnosing Voice
Quality/Encoding problems. In most cases, RTP Header is enough for
debugging most Signaling problems.
Any comments, concerns?
Thanks in advance,
Kerry Foster