Question about Filter the SIP by tshark

Question

I want to get all sip message in .pcap file.

I use ""tshark -r c:\a.pcap -Y sip -z "sip,stat,ip.addr==10.10.10.3" -w a.txt""

But the out put will like

? h 5? ??H H Cv w蝴皝? E :P| €璦+??&踦SIP/2.0 100 Trying

Via: SIP/2.0/UDP 10.10.10.43;rport=5060;branch=z9hG4bK+PhOpZMrrpHouo

From: "7000" sip:[email protected];tag=Qklz17s+TogPIm

It will have some broken message.

I want all the out put like shown:

INVITE [email protected] SIP/2.0,

P-Preferred-Identity: [email protected],

Via: Calling UE IP :Port,

Route: P-CSCF address,

Route: S-CSCF address,

Contact: Calling UE IP :Port,

SDP: Caller Supported Codec List

can some one tell me how to set the tshark parameter?

Answer 1

tshark -r c:\a.pcap -Y sip -z "sip,stat,ip.addr==10.10.10.3" -w a.txt

-w a.txt will write a pcap file of the filtered frames! If you want the text output of -z "sip,stat" you should run tshark like this.

tshark -r c:\a.pcap -Y sip -z "sip,stat,ip.addr==10.10.10.3" > a.txt

===================================================================
SIP Statistics with filter ip.addr==x.x.x.x
Number of SIP messages: 10
Number of resent SIP messages: 0


SIP Status Codes in reply packets
SIP 180 Ringing         :     2 Packets
SIP 200 OK              :     2 Packets
SIP 100 Trying          :     2 Packets


List of SIP Request methods
INVITE          :     2 Packets
ACK             :     1 Packets
REGISTER        :     1 Packets


Average setup time 8525 ms
Min 8525 ms
Max 8525 ms
===================================================================

However, that gives only statistics, not the whole SIP call flow!! If you need that, please add a comment.

Regards
Kurt