https://stackoverflow.com/questions/21923188
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianthe problem I am having is that the first method will save everything I need, but for some reason it will add extra data (i.e. more than just the RTP payload and RTSP interleaved frame contents) in strange places
The first method:
tshark -r my.pcap -R -T fields -e rtp.payload -w rtp.out
should print an error, as the -R flag specifies a "read filter", and the read filter must come after the -R flag and must not begin with a - (if what follows -R begins with a -, it is interpreted as another flag), so that command does not specify a "read filter".
If you meant, for example,
tshark -r my.pcap -R rtp -T fields -e rtp.payload -w rtp.out
that command uses the -w flag, which specifies that a binary file containing the raw packet data from my.pcap, possibly as filtered by the read filter, should be written to the file whose name is the argument to the -w flag, so that command means "write, to the file named rtp.out, all the RTP packets in my.pcap, and also write the rtp.payload field of each packet to the standard output". There is, unfortunately, a bug in TShark that suppresses the output of the rtp.payload fields to the standard output; I've just checked in a bug fix for that.
So if you want the fields to be written to a file, you must redirect the standard output, so your second method is correct.
I looked into the tshark read filters, which seems like it should be able to do what I need
No. Read filters only control which packets TShark, when reading the capture file, bothers to process, rather than discarding after dissecting them.
What you'd want would be the flags
-e rtsp.channel -e rtsp.length
but, unfortunately, those are only supported by the current 1.11.x development versions of Wireshark, not by the 1.10.x or earlier versions. I don't know which of the 1.11.x releases support them; the nightly builds will support them.
