Extract Mpeg TS from Wireshark

Question

I need to extract a MPEG-TS stream from a Wireshark capture. I have managed to do this but when I play it back using VLC the output is crappy, it's just a green window with some jitter on the top rows.

Here is how I did it:

1. Captured using ip.dest filter for the multicast stream.
2. Analyze -> Decode As -> UDP port (field), portnumber (value), MP2T (current)
3. Tools Dump MPEG TS Packets.

It does not play out correctly. Is there any other way of doing this

Answer 1

When I need to dump TS from a pcap file I do following:

1. If TS in plain UDP (column protocol shows MPEG TS for each packet) jump to step 3
2. If TS is packed in RTP, right click on any packet -> Decode as -> Choose RTP under field "Current"
3. Use tool MPEG Dump, Tools -> Dump MPEG TS Packets

I do not use MP2T packets decoding, it usually doesn't work.

If the TS is in plain UDP, it can happen that TS packets are shuffled and 4 bits long TS packet field which serves as a continuity counter is not long enough to correctly order TS packets. This can result in corrupted playback of dumped TS.

Answer 2

I've added two filtering options to the original pcap2mpeg.

You can find it on: https://github.com/bugre/pcap2mpegts

So you can:

• filter by udp destination port
• filter by mcast group IP and destination port

for the cases where the captured file has multiple TS on the same IP but on different ports, or on different mcast IP's.

you would run it as:

pcap2mpegts.pl -y -i 239.100.0.1 -p 2000 -l multi_ts_capture.pcap -o single-stream-output.ts

Answer 3

Not using Wireshark, you can use pcap2mpeg.pl. I tested it and it works well if there is a single MPEG stream in the PCAP.

Here is the output of ffprobe on a mpeg file with 2 streams that was successfully extracted:

Input #0, mpegts, from 'test.mpeg':
  Duration: 00:27:59.90, start: 4171.400000, bitrate: 8665 kb/s
  Program 1 
    Metadata:
      service_name    : Service01
      service_provider: FFmpeg
    Stream #0:0[0x100]: Video: h264 (Main) ([27][0][0][0] / 0x001B), yuv420p(progressive), 4096x2176 [SAR 1:1 DAR 32:17], 10 fps, 10 tbr, 90k tbn, 20 tbc
    Stream #0:1[0x1001]: Data: bin_data ([6][0][0][0] / 0x0006)

Answer 4

Here is two alternative variants how you can extract udp payload:

• fastest method, using gstreamer:

  gst-launch-1.0 -v filesrc location="dump.pcap" ! \
    pcapparse dst-ip=239.1.10.6 dst-port=1234 ! \
    filesink location="udp_payload.ts"
  

  Notes:

  • pcapparse not understand pcapng file format, if you have such file you can convert it in Wireshark or with mergecap: mergecap -F pcap -w dump.pcap in.pcapng;
  • pcapparse can filter packets with src-ip, src-port, dst-ip, dst-port in any combination. To see available conversations in dump run the next: tshark -nq -r dump.pcap -z conv,udp.

• slightly slower method (but still fast relative to Wireshark's follow+export), using tshark and xxd tools:

  tshark -r "dump.pcap" -z follow,udp,raw,0 -q |
    grep -Ev '^(Follow|Filter|Node [01]): ' |
    grep -Ev '^={60,80}$' |
    xxd -r -p >"udp_payload.ts"
  

  Notes:

  • tshark filters packets by "stream-index", the first one (0) in the example above;
  • You can select packets more explicitly by setting a filter with the following pattern: follow,udp,raw,<src-ip>:<src-port>,<dst-ip>:<dst-port>;

Both methods work with MPEG TS and any other payload.

Links:

• ask.wireshark.org: Extract TS files from pcap capture .