How to save RTP Streams from Wireshark and Play it using an application called Audacity

Answered Question
Jun 5th, 2012

I use dto do this regularly a couple of years ago and used to know all the steps to get the RTP streams from Wireshark and then save that into a file and then play it using an application called Audacity.

I think the steps I used to do were:

1. In Wireshark - Setup a display filer   for   displaying   RTP only.

2. Then in Wireshark ----> Under  Statistics  -----> Show All Streams -----> Then Analyze ------> Then save Payload as "raw" or "au" can't remember - forward / reverse / both

3. Then play the saved file using Audacity.

Am I clear in stating what I need.

Now when I do the above I can't play the file with Audacity.

Audacity says:

Audacity did not recognise the type of the file. If it is uncompressed, try importing it using "Import Raw".

One has to keep using these to not forget the steps.

Any help much appreciated.

I have this problem too.
0 votes
Correct Answer by Daniele Giordano about 2 years 11 months ago

If you want save and reproduce an audio flow based on RTP G.729 call you can try this procedure:

- save the RTP G.729 Payload in .raw format using wireshark

- convert the .raw file to .pcm using the "open G.729 decoder", see the link http://www.voiceage.com/openinit_g729.php

syntax example:

va_g729_decoder.exe sample.raw sample.pcm.raw

or

wine va_g729_decoder.exe sample.raw sample.pcm.raw (for linux OS)

- import the new .raw file into Audacity using this options:

     - signed 16-bit pc

     - no endianness

     - 1 channel (mono)

     - start offset: 0

     - amount to import: 100%

     - sample rate: 8000

Regards.

Correct Answer by Daniele Giordano about 2 years 11 months ago

I'm agree with you, probably the codec used in the call is not G.711.

What is the signalling protocol used in the call? You can find the codec selected during call setup phase.

What is the codec showed from wireshark?

Regards.

Correct Answer by Daniele Giordano about 2 years 11 months ago

If the RTP stream uses G.711, you can use directly the wireshark audio player:

- in Wireshark - Telephony - Voip Calls

- select a call - then click on Player button

- click on Decode button

- select one or more stream and so click on Play

You can also use RTP analyze tool to save the audio in .au format and play it with Audacity.

If you prefer save the file in .raw format, you can open Audacity and import the file as raw and specify the A-Law codic for G.711A or u-Law coding for G.711u and so the sample frequency equal to 8000 Hz.

Regards.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (14 ratings)
Correct Answer
Daniele Giordano Tue, 06/05/2012 - 05:56

If the RTP stream uses G.711, you can use directly the wireshark audio player:

- in Wireshark - Telephony - Voip Calls

- select a call - then click on Player button

- click on Decode button

- select one or more stream and so click on Play

You can also use RTP analyze tool to save the audio in .au format and play it with Audacity.

If you prefer save the file in .raw format, you can open Audacity and import the file as raw and specify the A-Law codic for G.711A or u-Law coding for G.711u and so the sample frequency equal to 8000 Hz.

Regards.

rob.huffman Tue, 06/05/2012 - 09:30

Hi Daniele,

Great answer here +5 for sure!

Cheers!

Rob

"Show a little faith, there's magic in the night" - Springsteen

astanislaus Tue, 06/05/2012 - 17:03

Thanks for your response.

Very much appreciated. Was very informative.

This is my current situation with 3 your suggestions:

Daniele,

Your suggestion 1’s result:

In Wireshark ----> Under Statistics --->I have VoIP calls.

(I don’t see VoIP calls under Telephony –> may be a different version of Wireshark).

Anyway, there is only one call because the Wireshark had a Capture Filter to track information between one source and one destination IP address. So I select that call and click on Player button and then click on Decode button. Then I select the forward stream (From IP1 to IP2) and click on play and I don’t hear anything at all. All silence. Same when I select the reverse stream from IP2 to IP1 and play.

Your suggestion 2’s result:

In Wireshark ---> Under Statistics ---> I Selected Stream Analysis (Did not select Show All Streams – not sure what the difference is) then ---> Save Payload ----> Select “au” instead of raw and it says – “Can’t save in a file:saving in au format supported only for alaw / ulaw stream

Your suggestion 3’s result:

Saved the file in .raw format. Opened Audacity and imported the file as raw and specified FIRST the A-Law codec for G.711A and selected 8000hz and that didn’t work and SECOND tried the u-Law coding for G.711u and selected the sample frequency again equal to 8000 Hz and that didn't work.

Didn't work means:

When I played the imported information I get all noise (like heavy metallic sound) and no voice.

So my guess is that this capture is neither A-Law or u-Law codec - right. This capture was given to me by a customer.

Any other suggestions – much appreciated Daniele.

Correct Answer
Daniele Giordano Wed, 06/06/2012 - 01:26

I'm agree with you, probably the codec used in the call is not G.711.

What is the signalling protocol used in the call? You can find the codec selected during call setup phase.

What is the codec showed from wireshark?

Regards.

astanislaus Wed, 06/06/2012 - 06:25

Daniele,

Thanks again.

It is G.729. Sorry I should have seen that before in Wireshark.

So is there anyway I can play this using AUdacity or any other application / tool.

Regards

Alphonse

Correct Answer
Daniele Giordano Wed, 06/06/2012 - 10:16

If you want save and reproduce an audio flow based on RTP G.729 call you can try this procedure:

- save the RTP G.729 Payload in .raw format using wireshark

- convert the .raw file to .pcm using the "open G.729 decoder", see the link http://www.voiceage.com/openinit_g729.php

syntax example:

va_g729_decoder.exe sample.raw sample.pcm.raw

or

wine va_g729_decoder.exe sample.raw sample.pcm.raw (for linux OS)

- import the new .raw file into Audacity using this options:

     - signed 16-bit pc

     - no endianness

     - 1 channel (mono)

     - start offset: 0

     - amount to import: 100%

     - sample rate: 8000

Regards.

astanislaus Wed, 06/06/2012 - 17:12

Daniele,

Thanks a lot.

You are a champion.

I really appreciate your help on this issue.

It works.

Thanks again.

Regards

Alphonse

Ayodeji oladipo... Thu, 05/30/2013 - 20:54

Daniele,

This one deserves an endorsement! Excellent ideas. On this note Daniele, do you know how to decode SCCP traffic in wireshark..I spoke to one of the Cisco chaps and I was told that they have a special wireshark version that decodes SCCP traffic...Do you know if there is another way to decode them or the version that can decode sccp packets

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Yurii_Frolov Tue, 12/10/2013 - 05:36

What is the name this a special wireshark version?

what to do if the RTP stream of g.722?


Ayodeji oladipo... Tue, 12/10/2013 - 06:05

Yuri,

I dont know what the wireshark version is..hece the reason why I asked Danielle but he didnt answer..Lets hope he gets your question and answer US!

Please rate all useful posts

"opportunity is a haughty goddess who waste no time with those who are unprepared"

Jay Schulze Thu, 12/11/2014 - 10:16

I know I'm late on this Ayodeji. But the version you are looking for is 

 

1.10.5-TAC-9

 

You may be able to find it out there.

Ayodeji oladipo... Thu, 12/11/2014 - 10:39

Jay,

Better late than never! Thank you. Do you mind going one step further and let me know where I can get it. It doesn't seem to be on google

Daniele Giordano Fri, 02/07/2014 - 10:29

Sorry for the late. What is your version of wireshark?

Can you add a screenshot or a simple skinny pcap trace.

Regards.

Ayodeji oladipo... Fri, 02/07/2014 - 10:34

Daniele,

Trace attached..

Please rate all useful posts

"The essence of christianity is not the enthronement but the obliteration of self --William Barclay"

Yurii_Frolov Tue, 12/10/2013 - 21:20

what to do if the RTP stream of g.722?

Ayodeji oladipo... Fri, 02/07/2014 - 10:29

Daniele,

How can one decode SCCP packets in Wireshark?

Please rate all useful posts

"The essence of christianity is not the enthronement but the obliteration of self --William Barclay"

Daniele Giordano Fri, 02/07/2014 - 11:09

If your goal is analyze the RTP flow, you can follow these steps:

- right click on one of the UDP packets;

- select "Decode As" from the drop down menu;

w1.PNG

- select "RTP" from protocols list and then click OK;

w2.PNG

- now you can use wireshark built in tools to analyze the flow.

w3.PNG

Let me know if you have a different necessity.

Regards.

Actions

Login or Register to take actions

This Discussion

Posted June 5, 2012 at 12:15 AM
Stats:
Replies:18 Overall Rating:4.5
Views:51692 Votes:0
Shares:4

Related Content