Ask Your Question

SIP sip.msg_body showing "1"

asked 2020-04-22 02:11:09 +0000

johann8384 gravatar image

With the tshark command:

tshark -r 60f545a5a8e04c899a1d7f894ec34d42.pcap -T fields -e _ws.col.Info -e _ws.col.Time  -e sip.from.addr -e -e sip.msg_body -T json

I get:

      "_index": "packets-2020-04-22",
      "_type": "pcap_file",
      "_score": null,
      "_source": {
            "layers": {
                "_ws.col.Info": ["Status: 200 OK | "],
                "_ws.col.Time": ["42.017112417"],
                "sip.from.addr": ["sip:foo@foo:5060"],
                "": ["sip:foo@foo:5060"],
                "sip.msg_body": ["1"]

Looking in Wireshark, the sip.msg_body contains some XML I'd like to access.

<?xml version="1.0" encoding="US-ASCII"?>
<msml version="1.1">
    <event name="play.started" id="conf:foo/dialog:annc"/>

Does anyone know what I'm doing wrong to get that msg_body?

edit retag flag offensive close merge delete


If you select the line in the packet details what is the field name displayed in the lower left in the status bar?

Chuckc gravatar imageChuckc ( 2020-04-22 03:26:09 +0000 )edit


johann8384 gravatar imagejohann8384 ( 2020-04-22 13:05:58 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2020-04-22 09:32:18 +0000

Jaap gravatar image

You're not doing anything wrong, but your expectations are different from what is on offer. What you have here is a field that has no value itself. The value "1" is merely an indication that it is present in the packet. It is a node in the tree where other nodes (protocol items and subtrees) are hanging from. So if you know which specific item you need look for that filter expression and use that. If you need the complete SIP message than what you can do is enable the option to display the raw SIP message, and parse your way through that.

edit flag offensive delete link more


And which option is that, to display the raw sip message? I have tried hundreds of permutations of options.

johann8384 gravatar imagejohann8384 ( 2020-04-22 13:05:10 +0000 )edit

Right click the Session Initiation Protocol line in the packet details.
Select Protocol Preferences and on the pop there are options for Display raw text for SIP message and Don't show '\r\n' in raw SIP messages
The resulting field is raw_sip.line

Try this in tshark :

$ tshark -r ./*pcapng -Y "raw_sip.line" -T fields -e raw_sip.line

(change *.pcapng to appropriate capture name)

Chuckc gravatar imageChuckc ( 2020-04-22 17:05:51 +0000 )edit

Running that command provides no output. (Ignore root, this is a Docker container so I have the same OS and TShark version as production).

root@9088257333a7:/opt/callfinder# tshark -r 60f545a5a8e04c899a1d7f894ec34d42.pcap -Y "raw_sip.line" -T fields -e raw_sip.line
Running as user "root" and group "root". This could be dangerous.

I had previously been using this command line, and it does 99% of what I want, I just can't seem to get that msg_body field. In this case, msg_body is either missing or "1" and raw_sip.line does nothing

tshark -r 60f545a5a8e04c899a1d7f894ec34d42.pcap -T fields -e _ws.col.Info -e _ws.col.Time  -e sip.from.addr -e -e sip.msg_body -e sip.Method -e sip.Reason -e sip.Via -e sdp.owner -e -e raw_sip.line -T json
johann8384 gravatar imagejohann8384 ( 2020-04-22 17:12:51 +0000 )edit

I possibly made some progress, if I dump the sip.msg_hdr field, the content is preset there. This doesn't seem right, but I can probably make it work to get by for my needs.

        "sip.msg_hdr": ["From: <sip:foo@foo:5060>\r\nTo: <sip:foo@foo:5060>r\nCall-ID: 3b19b8171c4cb39271edf18cbcfcf7df@foo\r\nCSeq: 8 INFO\r\nVia: SIP\/2.0\/UDP foo:5060;received=foo;branch=z9hG4bK21ef0175-d712-4c7d-8b16-0723ad973f07_28cd45dd_5f1b8051-9908-4488-8694-ed222a2125ab\r\nAllow: INVITE, CANCEL, ACK, BYE, OPTIONS, INFO, REFER, NOTIFY, UPDATE\r\nUser-Agent: foo\r\nSession-ID: 9b8a69938d314951b803e21fad6e967b\r\nContact: <sip:foo@foo>\r\nContent-Type: application\/msml+xml\r\nContent-Length: 191\r\n\r\n<?xml version=\"1.0\" encoding=\"US-ASCII\"?>\r\n<msml version=\"1.1\">\r\n\t<result response=\"200\"\/>\r\n\t<dialogid>conn:daa24d10-2ccc880a-13c4-65014-691f4-ec5d035-691f4\/dialog:connrec<\/dialogid>\r\n<\/msml>"]
johann8384 gravatar imagejohann8384 ( 2020-04-22 17:34:55 +0000 )edit

Add -o sip.display_raw_text:TRUE -o sip.display_raw_text_without_crlf:TRUE to the tshark command for the changes that the right click were for in the GUI.

Chuckc gravatar imageChuckc ( 2020-04-22 17:47:38 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2020-04-22 02:11:09 +0000

Seen: 761 times

Last updated: Apr 22 '20