Wireshark-users: Re: [Wireshark-users] tshark RTP decodes

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 3 Sep 2012 18:11:29 -0700
On Sep 3, 2012, at 5:48 PM, Joerg Mayer wrote:

> On Sat, Sep 01, 2012 at 04:03:54PM +0000, Barry Constantine wrote:
>> I know how to redecode to RTP in UI, but would like to the same at command line and extract fields.
> ...
>> tshark -r rtp_call.pcap -o rtp.heuristic_rtp:TRUE -T fields -e rtp.seq
> ...
>> It accepts the -o option, but the rtp.seq field is displayed with no content.
> 
> Works for me here:
> tshark -r rtp-only-test.pcap -o rtp.heuristic_rtp:TRUE -T fields -e rtp.seq

"rtp.heuristic_rtp:TRUE" turns on a heuristic; it's a bit of a weak heuristic, but it might still fail to recognize RTP packets.  Perhaps it's recognizing them in your capture but not in Barry's capture.

"redecode to RTP in UI", I suspect, means "use "Decode As..."", which is a manual operation, so to do it purely from the command line you'd first have to run TShark on the capture to try to figure out what ports are being used for RTP traffic and then re-run TShark with the appropriate "-d" flag values.  If you want it done without that much user interaction, the heuristic is about the best that can be done.

Barry, if that's what "redecode to RTP in UI" means, what happens if you *don't* use that and, instead, just enable the heuristic in the RTP preferences?  Does it recognize all the relevant packets as RTP?  If so, and it's not working in TShark, that's a weird bug; we'd need to see a capture on which it happens to try to figure it out.  If not, then the heuristic would need to be changed; when the packets *are* dissected as RTP, what are:

	the version number (0, 2, or other);

	the destination ports to which the packets are sent?