Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Saving the UDP stream from a wireshark capture session

From: "RUOFF, LARS (LARS)** CTR **" <lars.ruoff@xxxxxxxxxxxxxxxxxx>
Date: Tue, 20 Jul 2010 16:58:34 +0200
Hi,
You can save the RTP payload in rtpdump format (http://wiki.wireshark.org/rtpdump).
It also contains the size of the packet.
This is done from the "RTP Streams" (Telephony->RTP->Show all streams) dialog by pressing the "Save As" button on a selected stream.
See also if http://wiki.wireshark.org/RtpDumpScript can be of use to you.

Regards,
Lars Ruoff

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Anirud
Sent: mardi 20 juillet 2010 16:25
To: Community support list for Wireshark
Subject: [Wireshark-users] Saving the UDP stream from a wireshark capture session

Hi all,

Now obviously, my ignorance is evident here. I captured all the
packets on the wire and want to save just the UDP stream into a raw
binary file.  The UDP itself contains RTP which contains an H.264
video bitstream. I am interested in this H.264 stream which is carried
as per RFC 3984.

However, the RTP payload can have one or more NAL units as per the RFC
(STAP, FU, MTAP and so forth).  So I am going to write a simple parser
to extract the raw elementary video stream from the RTP payload.  I
cannot just save the RTP payload in Wireshark since my parser needs to
know the size (length) of each packet's payload and the raw file
doesn't have that.

So I though of saving the UDP packets since the UDP header has the
length field after Source/Destination ports and before the Checksum. I
can then strip the RTP headers and parse the RTP payload and extract
the H.264 bitstream.  However, I just can't figure out how to save the
UDP packets with the headers. I can save the UDP payload if I do
"Analyze -> Follow Stream" but that saves the payload only, without
headers.  I don't want the Ethernet and IP headers since that would be
another level of detail to understand and then write code to strip
out.

Sorry for being so stupid but I just can't seem to figure this one out...

Anirud
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe