the problem I am having is that the first method will save everything I need, but for some reason it will add extra data (i.e. more than just the RTP payload and RTSP interleaved frame contents) in strange places
The first method:
tshark -r my.pcap -R -T fields -e rtp.payload -w rtp.out
should print an error, as the -R
flag specifies a "read filter", and the read filter must come after the -R
flag and must not begin with a -
(if what follows -R
begins with a -
, it is interpreted as another flag), so that command does not specify a "read filter".
If you meant, for example,
tshark -r my.pcap -R rtp -T fields -e rtp.payload -w rtp.out
that command uses the -w
flag, which specifies that a binary file containing the raw packet data from my.pcap
, possibly as filtered by the read filter, should be written to the file whose name is the argument to the -w
flag, so that command means "write, to the file named rtp.out
, all the RTP packets in my.pcap
, and also write the rtp.payload
field of each packet to the standard output". There is, unfortunately, a bug in TShark that suppresses the output of the rtp.payload
fields to the standard output; I've just checked in a bug fix for that.
So if you want the fields to be written to a file, you must redirect the standard output, so your second method is correct.
I looked into the tshark read filters, which seems like it should be able to do what I need
No. Read filters only control which packets TShark, when reading the capture file, bothers to process, rather than discarding after dissecting them.
What you'd want would be the flags
-e rtsp.channel -e rtsp.length
but, unfortunately, those are only supported by the current 1.11.x development versions of Wireshark, not by the 1.10.x or earlier versions. I don't know which of the 1.11.x releases support them; the nightly builds will support them.