Let’s say you are a CO Tech/Engineer or an enterprise network engineer that works with Voice over IP (VoIP). Let’s further say that there are issues with one or more users so you have done a bunch of packet captures, perhaps even used Wireshark’s Ring Buffer capability, and now you want to extract from all those enormous captures the VoIP pertinent packets only – things like RTP, RTCP, and SIP, perhaps even ICMP. Of course you can do this with display filters, then save the displayed packets in a new file. But what if this could be “automated”, regardless of how many files? And make that quick!
Well, here is my answer – assuming you have a system with Wireshark properly installed. This batch file essentially runs on your desktop. You place all the capture files (.pcap or .pcapng) you want to process in a “captures” folder that you create on your desktop. Make sure you have cleared out any older files you may have done this with previously.
Now that the files are in that folder, run the batch file.
It will create a folder called “filtered”, if it does not already exist. In that folder you will find the following:
- “original-filename_sip.pcapng” – these are all the SIP packets
- “original-filename_rtprtcp.pcapng” – these are all the RTP and RTCP packets
- “original-filename_icmp.pcapng” – these are all the ICMP packets
- “original-filename_voip.pcapng” – these are all the SIP and RTP and RTCP and ICMP packets combined
Again, this will be repeated for all the original pcaps in the “captures” folder.
@echo off
setlocal enabledelayedexpansion
rem -------------------------------------------------------------
rem This is Andy Walding's multi-pcpap slicer and dicer for VoIP
rem
rem Version 1, 05/13/26
rem -------------------------------------------------------------
set "INPUT_DIR=captures"
set "OUTPUT_DIR=filtered"
set "TSHARK=C:\Program Files\Wireshark\tshark.exe"
if not exist "%OUTPUT_DIR%" mkdir "%OUTPUT_DIR%"
for %%F in ("%INPUT_DIR%\*.pcap") do (
if exist "%%~fF" call :process "%%~fF"
)
for %%F in ("%INPUT_DIR%\*.pcapng") do (
if exist "%%~fF" call :process "%%~fF"
)
echo.
echo Done.
pause
exit /b
:process
set "INFILE=%~1"
set "BASENAME=%~n1"
echo Processing %~nx1...
"%TSHARK%" -r "%INFILE%" -Y "sip" -w "%OUTPUT_DIR%\%BASENAME%_sip.pcapng"
"%TSHARK%" -r "%INFILE%" -Y "rtp or rtcp" -w "%OUTPUT_DIR%\%BASENAME%_rtprtcp.pcapng"
"%TSHARK%" -r "%INFILE%" -Y "icmp or icmpv6" -w "%OUTPUT_DIR%\%BASENAME%_icmp.pcapng"
"%TSHARK%" -r "%INFILE%" -Y "sip or rtp or rtcp or icmp or icmpv6" -w "%OUTPUT_DIR%\%BASENAME%_voip.pcapng"
exit /b
Of course you will want to grab my profiles for VoIP in the profiles repository as well.
I hope you make good use of this tool, and if so , let me know how it helps you. Also, let me know of any changes that should be made.
Thanks to the community as always!
Comments are welcomed below from registered users. You can also leave comments at our Discord server.
If you would like to see more content and articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!