Howto find unanswered SIP requests

Question

Hi!

Does someone knows if it is possible to find, and show, all SIP requests without any responses? With a filter or with any other Wireshark functions?

In this case I would like to find all initial INVITES without any 100 Trying or other responses.

Thanks in advanced! Andreas

Accepted Answer

0

That sounds like a good candidate for Mate

Example for SIP

https://wiki.wireshark.org/Mate/Library#SIP

See the answers to similar questions:

https://ask.wireshark.org/questions/32031/tool-to-identify-unanswered-sip-messages

Regards
Kurt

answered 07 Sep '15, 17:10

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

Hi!

Thanks for the answers.

SIP is over TCP in my case, but I will check with resend later on when UDP is used.

MATE seems to be the solution, and I created the following configuration:

Pdu sip_pdu Proto sip Transport ip {
Extract addr From ip.addr;
Extract call_id From sip.Call-ID;
Extract method From sip.Method;
Extract status_code From sip.Status-Code; 
Extract branch From sip.Via.branch;

};

Gop sip_req On sip_pdu Match (addr, addr, call_id, branch) {
Start (method="INVITE");
Stop (status_code=100);

};

Then I could filter on:

mate.sip_req.NumOfPdus == 1

And I got all parts of a transaction with only one INVITE message. (Be aware this configuration is not covering all cases.)

See page Wireshark Mate, which seems not up to date but it is possible to understand anyway.

Regards Andreas

(08 Sep '15, 22:41) Andreas J

good to hear that Mate worked for you!

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(08 Sep '15, 23:08) Kurt Knochner ♦