This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SIP messages per user

0

Hi folks,

is there any possibility in Wireshark by using a special filter or a combination of some to show an overview of the number of SIP messages per user or endpoint? Trying to figure it out for SBC settings but with hundreds of thousands of IP endpoints you're soon bored somehow.

Greetz Marzen

asked 14 Aug '13, 08:19

Marzen's gravatar image

Marzen
11112
accept rate: 0%


One Answer:

0

You can use tshark in conjunction with a perl/python script to extract the information you are interested in.

tshark -nr sip.pcap -R "sip" -T fields -e frame.time -e ip.src -e ip.dst -e sip.from.addr -e sip.to.addr -e sip.Call-ID

See the SIP filter reference for more fields.

Output (generated from a test file):

frame.time;ip.src;ip.dst;sip.from.addr;sip.to.addr;sip.Call-ID
Apr 12, 2012 17:40:15.711324000;192.168.0.10;216.234.64.8;sip:[email protected];sip:[email protected];C5570127C1A6A1ABF7ED9
DB9AD608CE00xc0a8000a
Apr 12, 2012 17:40:15.755652000;216.234.64.8;192.168.0.10;sip:[email protected];sip:[email protected];C5570127C1A6A1ABF7ED9
DB9AD608CE00xc0a8000a
Apr 12, 2012 17:40:15.769396000;216.234.64.8;192.168.0.10;sip:[email protected];sip:[email protected];C5570127C1A6A1ABF7ED9
DB9AD608CE00xc0a8000a
Apr 12, 2012 17:40:15.882668000;192.168.0.10;216.234.64.8;sip:[email protected];sip:[email protected];C5570127C1A6A1ABF7ED9
DB9AD608CE00xc0a8000a
Apr 12, 2012 17:40:15.884964000;192.168.0.10;216.234.64.8;sip:[email protected];sip:[email protected];C5570127C1A6A1ABF7ED9
DB9AD608CE00xc0a8000a
Apr 12, 2012 17:40:15.931983000;216.234.64.8;192.168.0.10;sip:[email protected];sip:[email protected];C5570127C1A6A1ABF7ED9
DB9AD608CE00xc0a8000a

Regards
Kurt

answered 20 Aug '13, 02:44

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 20 Aug '13, 02:53