Wireshark-users: [Wireshark-users] Comparing packets

From: Piers Kittel <debian@xxxxxxxxxx>
Date: Wed, 30 May 2007 18:28:47 +0100
Hello all,

I'm trying to export data as a CSV file but I need to modify the data it exports a bit so I can do clever graphy things with it. My main problem is the H.261 packets in a bunch of files I've got. When I apply a filter (h261.stream) it shows all the packets I'm interested in, but when I export it, it comes up as:

181 1324.014027 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx H.261 H.261 message

So I have no way to compare packets just using the data above. I've found that I can disable the analyser for H.261 packets (Analyze - Enabled Protocols - untick H.261) and it shows the data I need. For example, packet 181 it shows:

181 1324.014027 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx RTP Payload type = ITU-T H.261, SSRC 2008229573, Seq=54520, Time=1725612773, Mark

That is exactly what I need as I need the Seq part to compare packets. Naturally, I have to cancel the filter, but I filter by right clicking on the packet above, clicking on "Conversation Filter" and clicking on UDP. Then when I export it as a CSV file, then one column shows:

Payload type=ITU-T H.261, SSRC=2008229573, Seq=54520, Time=1725612773, Mark

Is there a way (either from Wireshark or Excel/NeoOffice or anything else such as a shell script) to strip the data down just to the 54520 part? Thinking about it, something like a shell script to delete everything but the "54520" part from that column will be useful, but will have to work out how to make it not delete anything else. Any pointers to a helpful guide, or do you have any better idea?

Thanks very much for your help in advance!

Regards - Piers