Recording IP transport stream (TS) with Wireshark

📡 Recording the TS traffic input & output

The easiest way to record is to install Wireshark on the computer with FAB DVB Interface.

🖱️ Record using Wireshark GUI Application

Sometimes it is necessary to check the IP transport stream (TS). In such case please save the incoming and outgoing transport stream and send it to FAB for further analysis.

The incoming and outgoing transport IP stream can be recorded with Wireshark following these steps:

In this example FAB DVB Interface is receiving TS on 225.1.1.1:5001 and it is transmitting TS on 225.1.1.11:5011
Make certain that FAB DVB Interface Service is running
Start Wireshark
Select the network interface on which you wish to record the IP transport stream (1.)
Select the filters (2.)
Click on the icon to start recording (3.) as seen in the picture below:

Stop the recording after a minute as seen in the picture below:

Save the recorded IP transport by clicking on “File->Save or Save As…” as seen in the picture below:

If necessary send the recorded IP transport stream file(s) together with the system report to FAB 📧. Instructions on how to create a system report can be found here: Creation of FAB System Report

💻 Record using command line

List ethernet interface to see which one should be used for recording

"C:\Program Files\Wireshark\tshark.exe" -D

Record all traffic for a duration of 30 seconds

"C:\Program Files\Wireshark\tshark.exe" -i 2 -a duration:30 -w c:\0\main.pcapng

Where -i 2 is interface number 2.

Record all UDP traffic coming from 231.29.34.9:5004 for 30 seconds

"C:\Program Files\Wireshark\tshark.exe" -i 2 -a duration:30 -f "udp and dst host 231.29.34.9 and dst port 5004" -w c:\0\main.pcapng

Where -i 2 is interface number 2.

Record all UDP traffic coming from [email protected]:5004 for 30 seconds

"C:\Program Files\Wireshark\tshark.exe" -i 2 -a duration:30 -f "udp and src host 10.29.34.127 and dst host 231.29.34.9 and dst port 5004" -w c:\0\main.pcapng

Where -i 2 is interface number 2.

Note that only traffic will be recorded that is already present on the ethernet interface. Wireshark will not request UDP multicast using IGMP from the ethernet switch.

🔬 Analyzing the pcapng file

You will require Wireshark and TSDuck programs.

List streams contained in the file

"C:\Program Files\TSDuck\bin\tspcap" --list-streams "c:\0\main.pcapng"

The output will be similar to this:

Source             Destination        Protocol  Packets  Data bytes     Bitrate
10.29.34.127:5004  231.29.34.1:5004   UDP        38,225  50,304,100  40,001,070
10.29.34.127:5004  231.29.34.9:5004   UDP        38,224  50,302,784  40,000,023
10.29.34.127:5004  231.29.34.12:5004  UDP        38,224  50,302,784  40,000,023
10.29.34.127:5004  231.29.34.13:5004  UDP        38,225  50,304,100  40,001,070
10.29.34.127:5004  231.29.34.15:5004  UDP        38,225  50,304,100  40,001,070

Convert a stream to a TS file

"C:\Program Files\Wireshark\tshark" -r "c:\0\main.pcapng" -Y "ip.src == 10.29.34.127 && ip.dst == 231.29.34.1 && udp.srcport == 5004 && udp.dstport == 5004" -T fields -e udp.payload | xxd -r -p > C:\0\main.ts

To analyze the TS file TSDuck offers a number of analysis including display of contained PIDs, bitrate and more.