Hi , I am trying to filter sip traffic using tshark with capture filter option and specific sip from header field value.

asked 2019-12-16 07:58:00 +0000

sreejith
1 ●1 ●1 ●1

updated 2019-12-16 11:02:32 +0000

flag of United Kingdom of Great Britain and Northern Ireland

23790 ●4 ●950 ●227 https://www.wireshark.org

I am using sipp traffic generator and tshark to measure the max bandwidth supported with continous sip traffic in tshark with capture filter option set.

I tried the tshark capture filter with syntax:

 tshark -i en01 -f "sip.From == "sipp <sip:[email protected]:5060>;tag=21633SIPpTag0015893".

But got the error "-bash: syntax error near unexpected token `;'. Could you please kindly suggest.

If I can also get command for bandwidth measurement with tshark it will be helpful.

The same filter worked in wireshark.

edit retag flag offensive close merge delete

add a comment

answered 2019-12-16 11:04:35 +0000

grahamb

23790 ●4 ●950 ●227 https://www.wireshark.org

updated 2019-12-16 11:34:21 +0000

Jaap

13730 ●685 ●115

Assuming that the filter has been correctly transcribed from the GUI, it's a quoting issue that the GUI filter box doesn't have to deal with. Try this:

tshark -i en01 -f 'sip.From == "sipp <sip:[email protected]:5060>;tag=21633SIPpTag0015893"'

Note that the filter now has outer single quotes for bash and inner double quotes for tshark.

edit flag offensive delete link

Comments

Thanks a lot for the kind help !!. The command got accepted with above correction in quotes.

But unfortunately I got another error while executing the command :

"tshark: Invalid capture filter": "sip.From == "sipp. <sip:[email protected]:5060>;tag=21633SIPpTag0015893""!. 
That string looks like a valid display filter; however, it isn't a valid capture filter (syntax error).

The same command worked if I use "-R" option (display filter).

tshark -i en01 -R 'sip.From == "sipp <sip:[email protected]:5060>;tag=21633SIPpTag0015893"'

At present I am not sure if tshark supports capture filter with this condition I saw it accepts filtering packets based on "src port" ie -f "src port 5060" Is it possible could you please suggest if this option for filtering traffic is supported with capture filter option in tshark as I need to do a capture filter with above condition.

sreejith ( 2019-12-16 12:00:37 +0000 )edit

-R is technically a read filter, not a display filter, but yes, it uses the same syntax as display filters. You can read more about Wireshark display filters on the wireshark-filter man page. Capture filters are very different though. Read more about them on the pcap-filter man page.