This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Howto find unanswered SIP requests

0

Hi!

Does someone knows if it is possible to find, and show, all SIP requests without any responses? With a filter or with any other Wireshark functions?

In this case I would like to find all initial INVITES without any 100 Trying or other responses.

Thanks in advanced! Andreas

asked 04 Sep '15, 06:51

Andreas%20J's gravatar image

Andreas J
11224
accept rate: 0%

This won't work if the INVITE is sent over a reliable transport like TCP, but I used to use "sip.resend == 1" to detect when no response made it back to the client. You can narrow it down to INVITE transactions by adding to the filter e.g. " and sip.Method == "INVITE".

(08 Sep '15, 06:43) MartinM

One Answer:

0

That sounds like a good candidate for Mate

Example for SIP

https://wiki.wireshark.org/Mate/Library#SIP

See the answers to similar questions:

https://ask.wireshark.org/questions/32031/tool-to-identify-unanswered-sip-messages

Regards
Kurt

answered 07 Sep '15, 17:10

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hi!

Thanks for the answers.

SIP is over TCP in my case, but I will check with resend later on when UDP is used.

MATE seems to be the solution, and I created the following configuration:

Pdu sip_pdu Proto sip Transport ip {
Extract addr From ip.addr;
Extract call_id From sip.Call-ID;
Extract method From sip.Method;
Extract status_code From sip.Status-Code; 
Extract branch From sip.Via.branch;

};

Gop sip_req On sip_pdu Match (addr, addr, call_id, branch) {
Start (method="INVITE");
Stop (status_code=100);

};

Then I could filter on:

mate.sip_req.NumOfPdus == 1

And I got all parts of a transaction with only one INVITE message. (Be aware this configuration is not covering all cases.)

See page Wireshark Mate, which seems not up to date but it is possible to understand anyway.

Regards Andreas

(08 Sep '15, 22:41) Andreas J

good to hear that Mate worked for you!

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(08 Sep '15, 23:08) Kurt Knochner ♦