Ask Your Question

How can I extract SIP messages in text format using tshark and raw_sip field?

asked 2018-09-18 18:14:57 +0000

sindy gravatar image

updated 2018-09-18 18:20:20 +0000

I've tried "c:\Program Files\Wireshark\tshark.exe" -r capture-file.pcap -Y sip -T fields -e raw_sip, the output is a wall of lines containing a literal raw_sip. If I add -e sip.Call-ID, I get the Call-ID values in front of the raw_sip.

I understand that the contents of the raw_sip field is a multi-line text, but is there a way I haven't discovered to get the values printed by tshark or should I file a bug? Especially given that the contents of sip.msg_hdr is also a multi-line text and tshark prints it out happily.

edit retag flag offensive close merge delete


Do you have a small capture file you can share? Also, which version of Wireshark are you using?

cmaynard gravatar imagecmaynard ( 2018-09-18 18:41:55 +0000 )edit

Sure, but I have no Cloudshark account. Any capture file with SIP in it will do, like e.g. this one.

In the meantime I've found an ugly workaround consisting in listing all the aggregate fields available and a separator which can be later substituted by a newline:

-T fields -E separator="°" -e frame.time_epoch -e sip.Request-Line -e sip.Status-Line -e sip.msg_hdr -e sip.msg_body

But if you think it deserves filing a bug, I'll file it.

Version 2.6.3 (v2.6.3-0-ga62e6c27)

sindy gravatar imagesindy ( 2018-09-18 19:44:21 +0000 )edit

1 Answer

Sort by » oldest newest most voted

answered 2018-09-18 19:57:09 +0000

cmaynard gravatar image

updated 2018-09-18 20:12:03 +0000

I think the problem is just that you're applying -e raw_sip instead of -e raw_sip.line, which is the only defined field for the raw_sip "protocol". Find all the raw_sipfields at

To make the output a bit more readable, you might want to pipe the output to sed, for example:

tshark -r SIP_CALL_RTP_G711.pcap -2Y sip -T fields -e frame.number -e raw_sip.line | sed s/\\r\\n,/\n/g

This has the unfortunate side-affect of causing tshark/sed to hang at the end, so some tweaking may be needed here.

(If you'd rather be able to just specify -e raw_sip and get the output, then sure, go ahead and file a bug report; it can't hurt.)

edit flag offensive delete link more


Oops, I haven't noticed that the raw_sip further drops into a bunch of raw_sip.line . The inconsistency consists in the fact that while the value of the raw_sip field seems to be a text constant raw_sip, the value of sip.msg_hdr are all the header lines, and also the value of sip.msg_body are all the body lines.

I think that with two workarounds available there is no point in wasting developers' time even on reading the bug description :-)

sindy gravatar imagesindy ( 2018-09-18 20:49:49 +0000 )edit

Well, adding a new (or raw_sip.text) field that gives you everything in one shot like what you'd get in Wireshark when you right-click and Copy … as Printable Text might be nice.

cmaynard gravatar imagecmaynard ( 2018-09-18 20:57:43 +0000 )edit

Bug 15136 filed.

sindy gravatar imagesindy ( 2018-09-19 18:11:03 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2018-09-18 18:14:57 +0000

Seen: 2,364 times

Last updated: Sep 18 '18