Join us 4-8 November in Vienna for SharkFest'24 EUROPE, the official Wireshark Developer and User Conference
Wireshark logo

Ethereal-users: Re: [Ethereal-users] diplay filter for rtp.payload with 100% silence

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Martin Regner" <martin.regner@xxxxxxxxx>
Date: Sat, 14 Feb 2004 08:32:07 +0100
Andreas Heise wrote:
> I try to set a filter for RTP Payload to find frames wich
> contains a payload with 100% silence (all 240 Bytes=D5)
>
> rtp.payload == D5  --> displays all frames wich contains
> minimum 1 D5, but what must I use for all = D5 like the
> above frame???

If you select one packet where all payload bytes are D5 (e.g. packet 34 in
your capture) you can then select the "Payload: D5D5D5D5D5D5D5D5D5..." row
in the Ethereal packet detail window and use Analyze/Prepare/Selected menu
item to get a display filter that can be used to filter out all the frames
where all 240 bytes are D5.
The filter will then look like this:

rtp.payload ==
d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d
5:d5:
d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d
5:d5:d5:d5:d5:d5:d5:
d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d
5:d5:d5:d5:d5:d5:d5:
d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d
5:d5:d5:d5:d5:d5:d5:
d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d
5:d5:d5:d5:d5:d5:d5:
d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d
5:d5:d5:d5:d5:d5:d5:
d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d
5:d5:d5:d5:d5:d5:d5:
d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5:d5

This method with using Analyze/Prepare/Selected can be really useful to
prepare display filters in some scenarios, but unfortunately it
is not always you get filters that can be really useful.

Another alternative could of course be to write the filter string above in
the filter field in the bottom of the screen (but without CR and/or LF
characters I put in the example above).


<Frame 34 (294 bytes on wire, 294 bytes captured)
<    Arrival Time: Jul 26, 2002 08:19:03.268118000
<    Time delta from previous packet: 1.643045000 seconds
<    Time relative to first packet: 1.643045000 seconds
<    Frame Number: 34
<    Packet Length: 294 bytes
<    Capture Length: 294 bytes
<Ethernet II, Src: 00:04:76:22:20:17, Dst: 00:d0:50:10:01:66

:
:

<Real-Time Transport Protocol
<    Version: RFC 1889 Version (2)
<    Padding: False
<    Extension: False
<    Contributing source identifiers count: 0
<    Marker: True
<    Payload type: ITU-T G.711 PCMA (8)
<    Sequence number: 59133
<    Timestamp: 240
<    Synchronization Source identifier: 3739283087
<    Payload: D5D5D5D5D5D5D5D5D5D5D5D5D5D5D5D5...