Ask Your Question
0

Hi , I am trying to filter sip traffic using tshark with capture filter option and specific sip from header field value.

asked 2019-12-16 07:58:00 +0000

updated 2019-12-16 11:02:32 +0000

grahamb gravatar image

I am using sipp traffic generator and tshark to measure the max bandwidth supported with continous sip traffic in tshark with capture filter option set.

I tried the tshark capture filter with syntax:

 tshark -i en01 -f "sip.From == "sipp <sip:[email protected]:5060>;tag=21633SIPpTag0015893".

But got the error "-bash: syntax error near unexpected token `;'. Could you please kindly suggest.

If I can also get command for bandwidth measurement with tshark it will be helpful.

The same filter worked in wireshark.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-12-16 11:04:35 +0000

grahamb gravatar image

updated 2019-12-16 11:34:21 +0000

Jaap gravatar image

Assuming that the filter has been correctly transcribed from the GUI, it's a quoting issue that the GUI filter box doesn't have to deal with. Try this:

tshark -i en01 -f 'sip.From == "sipp <sip:[email protected]:5060>;tag=21633SIPpTag0015893"'

Note that the filter now has outer single quotes for bash and inner double quotes for tshark.

edit flag offensive delete link more

Comments

Thanks a lot for the kind help !!. The command got accepted with above correction in quotes.

But unfortunately I got another error while executing the command :

"tshark: Invalid capture filter": "sip.From == "sipp. <sip:[email protected]:5060>;tag=21633SIPpTag0015893""!. 
That string looks like a valid display filter; however, it isn't a valid capture filter (syntax error).

The same command worked if I use "-R" option (display filter).

tshark -i en01 -R 'sip.From == "sipp <sip:[email protected]:5060>;tag=21633SIPpTag0015893"'

At present I am not sure if tshark supports capture filter with this condition I saw it accepts filtering packets based on "src port" ie -f "src port 5060" Is it possible could you please suggest if this option for filtering traffic is supported with capture filter option in tshark as I need to do a capture filter with above condition.

sreejith gravatar imagesreejith ( 2019-12-16 12:00:37 +0000 )edit

-R is technically a read filter, not a display filter, but yes, it uses the same syntax as display filters. You can read more about Wireshark display filters on the wireshark-filter man page. Capture filters are very different though. Read more about them on the pcap-filter man page.

cmaynard gravatar imagecmaynard ( 2019-12-16 14:49:09 +0000 )edit

Capture filter based on data in packet
https://osqa-ask.wireshark.org/questi...

Have you looked at ngrep ?
https://en.wikipedia.org/wiki/Ngrep

Chuckc gravatar imageChuckc ( 2019-12-16 19:40:13 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-12-16 07:58:00 +0000

Seen: 423 times

Last updated: Dec 16 '19