How can I get a partially-collapsed packet detail display from TShark?

Question

I'm using tshark protocol filter as I need to parse the contents of the SIP Packets.

tshark -r [email protected] -O sip

I get this:

Frame 14: 553 bytes on wire (4424 bits), 553 bytes captured (4424 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 4.4.4.4 (4.4.4.4), Dst: 3.3.3.3 (3.3.3.3)
User Datagram Protocol, Src Port: 5060 (5060), Dst Port: 5060 (5060)
Session Initiation Protocol (200)
    Status-Line: SIP/2.0 200 OK
        Status-Code: 200
        [Resent Packet: False]
        [Request Frame: 11]
        [Response Time (ms): 115]
        [Release Time (ms): 115]
    Message Header
        Via: SIP/2.0/UDP 2.2.2.2:5060;received=3.3.3.3;branch=z9hG4bK18f6609d-1c76-4a8b-a96b-2cf7d8036d36_6772d868_3067109296759172
            Transport: UDP
            Sent-by Address: 2.2.2.2
            Sent-by port: 5060
            Received: 3.3.3.3
            Branch: z9hG4bK18f6609d-1c76-4a8b-a96b-2cf7d8036d36_6772d868_3067109296759172
        Contact: <sip:[email protected]:17060>
            Contact URI: sip:[email protected]:17060
                Contact URI User Part: 14082186500
                Contact URI Host Part: 1.1.1.1
                Contact URI Host Port: 17060
        To: <sip:[email protected];user=phone>;tag=83174026
            SIP to address: sip:[email protected];user=phone
                SIP to address User Part: 14082186500
                SIP to address Host Part: spicyramen.ippbx.com
                SIP To URI parameter: user=phone
            SIP to tag: 83174026
        From: <sip:[email protected]>;tag=87638703_6772d868_18f6609d-1c76-4a8b-a96b-2cf7d8036d36
            SIP from address: sip:[email protected]
                SIP from address User Part: anonymous
                SIP from address Host Part: sip.ie1.sipprovider.com
            SIP from tag: 87638703_6772d868_18f6609d-1c76-4a8b-a96b-2cf7d8036d36
        Call-ID: [email protected]
        CSeq: 44365 BYE
            Sequence Number: 44365
            Method: BYE
        User-Agent: 3CXPhoneSystem 14.0.44198.522 (44097)
        Content-Length: 0

As you can see output is not collapsed. I want to see something like this:

Frame 14: 553 bytes on wire (4424 bits), 553 bytes captured (4424 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 4.4.4.4 (4.4.4.4), Dst: 3.3.3.3 (3.3.3.3)
User Datagram Protocol, Src Port: 5060 (5060), Dst Port: 5060 (5060)
Session Initiation Protocol (200)
    Status-Line: SIP/2.0 200 OK
    Message Header
        Via: SIP/2.0/UDP 2.2.2.2:5060;received=3.3.3.3;branch=z9hG4bK18f6609d-1c76-4a8b-a96b-2cf7d8036d36_6772d868_3067109296759172
        Contact: <sip:[email protected]:17060>
        To: <sip:[email protected];user=phone>;tag=83174026
        From: <sip:[email protected]>;tag=87638703_6772d868_18f6609d-1c76-4a8b-a96b-2cf7d8036d36
        Call-ID: [email protected]
        CSeq: 44365 BYE
        User-Agent: 3CXPhoneSystem 14.0.44198.522 (44097)
        Content-Length: 0

Answer 1

Nothing that you can do from tshark, but you could remove the lines that you don't want with grep e.g.

tshark -r file.pcap -O sip | grep -v -e "Contact URI" -e "SIP from" -e "SIP to"

or use a file if there are too many patterns.

Answer 2

Wireshark
You can use Wireshark to do the job.
Apply a display filter:
sip

Go to the the Packet Details pane.
Expand "Session Initiation Protocol"
Expand Request-Line, Message Header and Message Body* (do not Expand Subtrees)
Go to File - Export - Export Packet Dissections... - As "Plain Text" File...
Packet Format section: select "Packet Summery Line" and "Packet Details: As Displayed"
Add a file name and save the file

*Note
I have used sample file: aaa.pcap
Message Body: see packet 223

TShark
You can use -T Fields and add all the fields you need.
For example:
tshark -r aaa.pcap -Y sip -E header=y -E separator="?" -T fields -e frame.number -e sip.Request-Line -e sip.r-uri -e sip.Via -e sip.From -e sip.To -e sip.Call-ID -e sip.Contact -e sip.Expires -e sip.CSeq -e sip.User-Agent -e sip.Content-Length > aaa.csv