Trying to export audio from Wireshark can be a pain. But if you practice a few habits, it is a lot easier. If you do a lot of network packet capturing and RTP playback using WireShark for quality troubleshooting in the VOIP field, you have came across the dreaded error “Codec is not supported, file is incomplete”.
You probably have also came across trying to play a stream but the stream is blank.
Also, if you are trying to quickly find out what DSCP is doing, or what country IP’s of a PBX are from, using these tricks can be the difference between frustration and or a lot of clicks or smooth sailing.
My Quick VoIP Tips
If you are really fluent and don’t need much direction, below are the things I do as a practice. If you need to learn what this stuff is and how to do it, read more below.
- Always separate calls into separate files using prepare filter
- Save audio to raw, import with Audacity and convert to mp3
- Add DSCP as a column (see link)
- Add Country iso from MindMax database (see link)
Separate Calls from Captures
I always separate calls from captures because not only does it make processing packets faster, but you can play streams that just wont even play when you have larger captures. Regardless of computer you are using.
The first image is what you see when you try and play stream on a large capture. Second image is what you see when you have done a prepare filter on the call, export visible, and reopened those exact same packets and clicked play stream again.
If you dont know how to do any of this, Ill walk you through it.
- Open your capture, click Telephony >> VoIP Calls
- Wait fo the “Recalculating statistics on all packets” to complete. you will see this on the bottom of WireShark.
- Now you should see the WireShark – VoIP Calls screen.
- Click on the call you want to listen to and click the Prepare Filter button. Wait for Filtering frame number to complete in bottom of WireShark
- Go back to the main WireShark screen, click Filter >> Export Specified Packets >> All Packets >> Displayed and name and save new file.
- Now open the new capture file, go back to Telephony >> VoIP Calls, you will see only one call, and chances are Play Streams will now show you your sound you want to play.
Codec is not supported, file is incomplete
This error from what I suspect has to do with some sort of buffer overflow not handled in WireShark export methods. Probably a memory limit in the programing converting RTP payload to au file type. Regardless of why, there is a trick to avoiding this. Couple simple steps. Without the Trick it is impossible to export long calls to audio.
- save the forward and reverse as raw
- import into Audacity
- Set to Stereo left and right
Saving Forward and Reverse to raw
- Open call capture in WireShark >> Telephony >> RTP >> RTP Streams
- Select both streams and click Analyze
- Click Save >> File Synchronized Forward Audio and change format to Raw
- Repeat for Reverse Audio
Import Raw Files into Audacity
- File >> Import >> Raw Data and select raw file you exported.
- Select Encoding >> U-Law, Channels >> 1 Channel (Mono), Sample rate 8000. (These settings may be different for your phone system, these are Switchvox settings)
- Import
- Repeat for both forward and reverse raw files.
Set Left Right Pan
Finally just drag the sliders for left and right for each audio feed so you can clearly hear both forward and reverse audio.
Thats it for now. If I come up with some more tips, I will update this post. It is very likely that I may do something that is a tip to others but to me it’s just SOP. So feel free to ask me or suggest anything.
