 | 1 | initial version |
I think the problem is just that you're applying -e raw_sip instead of -e raw_sip.line, which is the only defined field for the raw_sip "protocol". Find all the raw_sip fields at https://www.wireshark.org/docs/dfref/r/raw_sip.html
| | 2 | No.2 Revision |
I think the problem is just that you're applying -e raw_sip instead of -e raw_sip.line, which is the only defined field for the raw_sip "protocol". Find all the raw_sip fields at https://www.wireshark.org/docs/dfref/r/raw_sip.html
To make the output a bit more readable, you might want to pipe the output to sed, for example:
tshark -r SIP_CALL_RTP_G711.pcap -2Y sip -T fields -e frame.number -e raw_sip.line | sed s/\\r\\n,/\n/g
This has the unfortunate side-affect of causing tshark/sed to hang at the end, so some tweaking may be needed here.
(If you'd rather be able to just specify -e raw_sip and get the output, then sure, go ahead and file a bug report; it can't hurt.)