Ask Your Question

Revision history [back]

Using tshark -2 -Y "sip.Method==INVITE" -r input.pcap -w output.pcap works for me. I get four packets in the output file:

1 217.0.21.65 → 84.146.135.221 SIP/SDP 1445 Request: INVITE sip:[email protected]
2 217.0.21.65 → 84.146.135.221 IPv4    1518 Fragmented IP protocol (proto=UDP 17, off=0, ID=38fc)
3 217.0.21.65 → 84.146.135.221 SIP/SDP  591 Request: INVITE sip:[email protected]
4 217.0.21.65 → 84.146.135.221 SIP/SDP 1447 Request: INVITE sip:[email protected]

Using tshark -2 -Y "sip.Method==INVITE" -r input.pcap -w output.pcap works for me. I get four packets in the output file:

> tshark -r C:\temp\out.pcapng -T fields -e frame.number -e ip.src -e ip.dst -e frame.len -e _ws.col.Info
1  217.0.21.65  84.146.135.221 SIP/SDP  1445  Request: INVITE sip:[email protected]
2  217.0.21.65  84.146.135.221 IPv4  1518  1518 Fragmented IP protocol (proto=UDP 17, off=0, ID=38fc)
3  217.0.21.65  84.146.135.221 SIP/SDP  591  Request: INVITE sip:[email protected]
4  217.0.21.65  84.146.135.221 SIP/SDP  1447  Request: INVITE sip:[email protected]