# How can I extract SIP messages in text format using tshark and raw_sip field?

I've tried "c:\Program Files\Wireshark\tshark.exe" -r capture-file.pcap -Y sip -T fields -e raw_sip, the output is a wall of lines containing a literal raw_sip. If I add -e sip.Call-ID, I get the Call-ID values in front of the raw_sip.

I understand that the contents of the raw_sip field is a multi-line text, but is there a way I haven't discovered to get the values printed by tshark or should I file a bug? Especially given that the contents of sip.msg_hdr is also a multi-line text and tshark prints it out happily.

edit retag close merge delete

Do you have a small capture file you can share? Also, which version of Wireshark are you using?

( 2018-09-18 18:41:55 +0000 )edit

Sure, but I have no Cloudshark account. Any capture file with SIP in it will do, like e.g. this one.

In the meantime I've found an ugly workaround consisting in listing all the aggregate fields available and a separator which can be later substituted by a newline:

-T fields -E separator="°" -e frame.time_epoch -e sip.Request-Line -e sip.Status-Line -e sip.msg_hdr -e sip.msg_body

But if you think it deserves filing a bug, I'll file it.

Version 2.6.3 (v2.6.3-0-ga62e6c27)

( 2018-09-18 19:44:21 +0000 )edit

Sort by » oldest newest most voted

I think the problem is just that you're applying -e raw_sip instead of -e raw_sip.line, which is the only defined field for the raw_sip "protocol". Find all the raw_sipfields at https://www.wireshark.org/docs/dfref/...

To make the output a bit more readable, you might want to pipe the output to sed, for example:

tshark -r SIP_CALL_RTP_G711.pcap -2Y sip -T fields -e frame.number -e raw_sip.line | sed s/\\r\\n,/\n/g


This has the unfortunate side-affect of causing tshark/sed to hang at the end, so some tweaking may be needed here.

(If you'd rather be able to just specify -e raw_sip and get the output, then sure, go ahead and file a bug report; it can't hurt.)

more

Oops, I haven't noticed that the raw_sip further drops into a bunch of raw_sip.line . The inconsistency consists in the fact that while the value of the raw_sip field seems to be a text constant raw_sip, the value of sip.msg_hdr are all the header lines, and also the value of sip.msg_body are all the body lines.

I think that with two workarounds available there is no point in wasting developers' time even on reading the bug description :-)

( 2018-09-18 20:49:49 +0000 )edit

Well, adding a new raw_sip.data (or raw_sip.text) field that gives you everything in one shot like what you'd get in Wireshark when you right-click and Copy … as Printable Text might be nice.

( 2018-09-18 20:57:43 +0000 )edit

Bug 15136 filed.

( 2018-09-19 18:11:03 +0000 )edit