Ask Your Question
0

SIP Custom field data.text blank or just "Yes"

asked 2017-11-20 20:33:23 +0000

Andromeda gravatar image

Hi,

I have been testing SIP client/server, where I am just sending Instant messages on a local Lan between sip clients... I'm using Wireshark version (2.4.1) on windows 10...And as far I can tell everything works fine all the data I need is captured accordingly...

However I'm new to Wireshark and desperately need to work this out...I want to see at a glance the actual body of the message in a column?

In earlier versions people (i.e https://osqa-ask.wireshark.org/questi... ) have worked out how to display the "data.text" an therefore see the actually message of the Message body in a Custom column field... When I try this , it either shows up blank or just a single word "yes",

If I click a row from this custom column, where it has marked in the field "yes" , clearly down below I can see in plain text, which the user/client has typed...i.e the Message Body

Session Initiation Protocol ->Message Body->Line-Based text data: text/plain ....some information someone sent as an instant message over sip...etc

I have gone to preferences->Protocol->Data->show data as text (is selected)

why does this not work, I can't see why not...Please help

thank you :-)

edit retag flag offensive close merge delete

Comments

Can you publish an example capture file at cloudshark or at any plain file sharing service and edit your Question with a login-free link to it?

sindy gravatar imagesindy ( 2017-11-20 21:31:15 +0000 )edit

But in general, data (and data.text if configured so) are only added to the protocol dissection tree when part of the frame cannot be dissected better than that. So I can imagine that in the meantime between that osqa-ask post and now, dissection of SIP IM body has been added, so you now need to add, as a packet list column, some other field than data.text. Or, if you don't like the way that field is displayed, it may be possible to switch off the dissection of SIP IM body, which would mean that it would again be shown as just data.

sindy gravatar imagesindy ( 2017-11-20 22:00:36 +0000 )edit

Hi and thanks, I have located a field in the detail pane called "Session Initiation Protocol (MESSAGE)", which has sub fields Request-Line, Message Header and Message Body... inside Message Body, sub fields "Line-Based text data: text/plain" with the actual IM text following it...

However Applying as Column, Message Body or any of it's subfields produces the same blank column field..so what am I doing wrong?

Note I do not have this problem with Request-Line or Message Header and any of their sub fields...just problems with Message Body and its subfields....

Andromeda gravatar imageAndromeda ( 2017-11-23 20:39:23 +0000 )edit

You'd have to publish a capture file (it is sufficient if there is just a single packet which does contain the message text inside) to possibly get an explanation. To create a file like this, open your capture in Wireshark, select a packet meeting the requirement in the packet list, go File -> Export Selected Packets and check the Selected packet checkmark. Then specify a file name and press Save. Next, publish that file at Cloudshark or any plain file sharing service and edit your Question with a login-free link to it. If the SIP transport is TCP, this may not be sufficient so in such case, better check by opening the file before uploading it.

sindy gravatar imagesindy ( 2017-11-23 23:08:11 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-11-21 06:43:31 +0000

Jaap gravatar image

The best way to setup this column is to use the packet details view. Select any packet in which the text you want to show in a column is in. Then, in the packet details pane, expand the protocol line this text is part of, until you see the text presented in there. Right-click the field with the text and in the menu that pops up click Apply as column. This automatically sets up a column with the applicable expression.

edit flag offensive delete link more

Comments

Thanks for helping me Filter a SIP Instant Message discussion

1) Go to preferences->Protocol->Data->show data as text (is selected)

2) I've captured general network traffic but I want only sip traffic... Right click on the column headers,which is just under the filter "Apply a display filter", -> select column preferences -> Appearance -> Columns -> (+) add a a new column -> double click Title and modify to friendly name "Discussion"... -> double click Type = Custom -> double click fields and enter 'data-text-lines' -> double click field appearance = 0 (i don't know what this means/how to use this but left it at 0)

When filtered like this I get a "yes" in the field only where there is actually typed IM text between the parties, blank elsewhere..i.e "Hi just got your message etc". To clarify... because of (1) , the details pane below displays a field ...(more)

Andromeda gravatar imageAndromeda ( 2017-11-23 20:18:20 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2017-11-20 20:33:23 +0000

Seen: 2,031 times

Last updated: Nov 21 '17

Related questions

Having issues with RTP not showing up in Voip Calls flow sequence in version 2.4.2.

I have SIP with XML (part of SIP Rec capture) that its XML part is not parsed by Wireshark, how do I get Dissector for it?

openvpn malformed

How to import ISUP signaling messages and have it dissected by Wireshark?

SIP call, can't send RTP on bound UDP port after sending ICMP packet

How to capture SIP and RTP traffic

SIP custom headers and LUA

What should be done when detecting faulty frames?

Measuring RTP QoS params from SIPp load test

VOIP Troubleshooting Issue