• #Networking
• #RTP
• #SharpPcap
• #SIP
• #UDP
• #VoIP
• #Wireshark

Posted: 09/04/2024

Make A Wireshark Capture File More Focussed

Wireshark capture files can be massive. So you may want to remove all the unnecessary data from the file before further analysis.

This can be done via the UI, but it is easier to do it via the command line.

Run the following tshark command, from your Wireshark installation directory:

            tshark.exe -r <filename of original capture file> -R <display filter> -w <filename of smaller capture file>
            
          

• <filename of original capture file> is the full path to the capture file.
• <filename of smaller capture file> is the full path to the new capture file.
• <display filter> is the filter criteria you wish to use to select the capture packets you want to keep. (These are exactly as you would enter them in the Wireshark UI.)

Examples:

• "sip or sdp or rtp" - Will filter for only the traffic that is used in VoIP calls
• "ip.addr == 192.168.1.10" - Will filter for only the packets that involved the IP address 192.168.1.10
• "tcp.port eq 25 or icmp" - Will filter to only SMTP (port 25) and ICMP traffic:

This will apply the filters to the file, and only the packets that match the filter will be in the output file.

• #Networking
• #RTP
• #SharpPcap
• #SIP
• #UDP
• #VoIP
• #Wireshark

Thanks for reading this post.

If you want to reach out, catch me on Twitter!

Tweet to @MicbOliver

I am always open to mentoring people, so get in touch.