Ask Your Question
0

How can I extract SIP messages in text format using tshark and raw_sip field?

asked 2018-09-18 18:14:57 +0000

sindy gravatar image

updated 2018-09-18 18:20:20 +0000

I've tried "c:\Program Files\Wireshark\tshark.exe" -r capture-file.pcap -Y sip -T fields -e raw_sip, the output is a wall of lines containing a literal raw_sip. If I add -e sip.Call-ID, I get the Call-ID values in front of the raw_sip.

I understand that the contents of the raw_sip field is a multi-line text, but is there a way I haven't discovered to get the values printed by tshark or should I file a bug? Especially given that the contents of sip.msg_hdr is also a multi-line text and tshark prints it out happily.

edit retag flag offensive close merge delete

Comments

Do you have a small capture file you can share? Also, which version of Wireshark are you using?

cmaynard gravatar imagecmaynard ( 2018-09-18 18:41:55 +0000 )edit

Sure, but I have no Cloudshark account. Any capture file with SIP in it will do, like e.g. this one.

In the meantime I've found an ugly workaround consisting in listing all the aggregate fields available and a separator which can be later substituted by a newline:

-T fields -E separator="°" -e frame.time_epoch -e sip.Request-Line -e sip.Status-Line -e sip.msg_hdr -e sip.msg_body

But if you think it deserves filing a bug, I'll file it.

Version 2.6.3 (v2.6.3-0-ga62e6c27)

sindy gravatar imagesindy ( 2018-09-18 19:44:21 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2018-09-18 19:57:09 +0000

cmaynard gravatar image

updated 2018-09-18 20:12:03 +0000

I think the problem is just that you're applying -e raw_sip instead of -e raw_sip.line, which is the only defined field for the raw_sip "protocol". Find all the raw_sipfields at https://www.wireshark.org/docs/dfref/...

To make the output a bit more readable, you might want to pipe the output to sed, for example:

tshark -r SIP_CALL_RTP_G711.pcap -2Y sip -T fields -e frame.number -e raw_sip.line | sed s/\\r\\n,/\n/g

This has the unfortunate side-affect of causing tshark/sed to hang at the end, so some tweaking may be needed here.

(If you'd rather be able to just specify -e raw_sip and get the output, then sure, go ahead and file a bug report; it can't hurt.)

edit flag offensive delete link more

Comments

Oops, I haven't noticed that the raw_sip further drops into a bunch of raw_sip.line . The inconsistency consists in the fact that while the value of the raw_sip field seems to be a text constant raw_sip, the value of sip.msg_hdr are all the header lines, and also the value of sip.msg_body are all the body lines.

I think that with two workarounds available there is no point in wasting developers' time even on reading the bug description :-)

sindy gravatar imagesindy ( 2018-09-18 20:49:49 +0000 )edit

Well, adding a new raw_sip.data (or raw_sip.text) field that gives you everything in one shot like what you'd get in Wireshark when you right-click and Copy … as Printable Text might be nice.

cmaynard gravatar imagecmaynard ( 2018-09-18 20:57:43 +0000 )edit

Bug 15136 filed.

sindy gravatar imagesindy ( 2018-09-19 18:11:03 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-09-18 18:14:57 +0000

Seen: 3,150 times

Last updated: Sep 18 '18

Related questions

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt

How to convert Pcapng file to pcap file by Tshark