This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark output with port number

0

greetings!

I'd like to know if it's possible to make tshark output packets with port number. For example, I use the following command:

tshark -R "ip.addr==1.1.1.1"

and I get:

163.742781 2.2.2.2 -> 1.1.1.1 SIP Request: INVITE sip:[email protected];user=phone

163.743301 1.1.1.1 -> 2.2.2.2 ICMP Destination unreachable (Port unreachable)

and here I don't see what port the INVITE was sent to. Is there an option to have a port in the output?

Thanks

asked 13 Dec '12, 02:00

ky4k0b's gravatar image

ky4k0b
11336
accept rate: 0%

One Answer:

1

You could try to build your own customized output.

tshark -r input.cap -R "ip.add == 1.1.1.1" -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -xxx

where XXX is all SIP/VOIP fields you are interested in. The port number would be sdp.media.port (-e sdb.media.port). You will get all available fields with

tshark -G fields

Suggestion (please adjust to your needs!)

tshark -r input.cap -R "ip.addr == 1.1.1.1" -T fields -e frame.number -e frame.time_delta -e ip.src -e ip.dst -e "sip.Request-Line -e sdp.media.port

BTW: the ICMP port unreachable message directly after the SIP INVITE makes me believe, that your system 1.1.1.1 does not accept traffic to port UDP 5060 (SIP) and thus it sends a "port unreachable" message.

Regards
Kurt

answered 14 Dec '12, 07:19

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

thanks a lot Kurt!

I knew that I can do it with -e flag and add custom params. I was just wondering if there's a dummy mode (like another flag) to display port in the output :)

(20 Dec '12, 02:13) ky4k0b

well, you can use the option -V or -T pdml but then you get a lot of data and you need some script to extract the parts you are interested in.

(20 Dec '12, 03:34) Kurt Knochner ♦