This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to group subscribe-notify SIP messages?

0

Hi All,

I am new wireshark and SIP user :). I want to know that is there some way I can group all the SUBSCRIBE-NOTIFY messages and find response times of NOTIFY for the SUBSCRIBE.

What I already tried is that I added CallId as column and sorted, this apparently shows the related SUBSCRIBE/200/NOTIFY together. Then there's response time in 200, I added that also as the column, now I can see the response time of 200 but still for Notify I need to manually calculate. See image.alt text

I think flow view can do that but I am testing it from single machine using SIPP therefore the flow, UDP stream shows all the traffic together.

I can provide the sample pcap too if required.

Thanks, Surya

asked 16 Feb '16, 22:55

suryaveer's gravatar image

suryaveer
6113
accept rate: 0%

One Answer:

0

You could use MATE for this purpose, grouping the SUBSCRIBE, NOTIFY, and their relevant 200s by sip.Call-ID and calculating the response time as a difference of the frame.time_epoch fields of the two requests, but I'm sure that use of SIPP's own tools for the purpose will require much less initial effort.

answered 17 Feb '16, 00:58

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Thanks for your answer. I understand SIPP already provide this feature and I am using that but in SIPP I am noticing really high response times, therefore, I just want to verify when the message enters the presence server and when the response leaves.

(17 Feb '16, 10:09) suryaveer

Need help!! I tried something but don't know what exactly I did and what to do next.

Pdu sip_pdu Proto sip Transport ip {
    Extract call_id From sip.Call-ID ;
};
Gop sip On sip_pdu Match (call_id) {
Start(method {"SUBSCRIBE"|"NOTIFY"});
Stop(never);
};

This added a new MATE tree in packet details view as:

MATE sip_pdu:9
--sip_pdu:9
----sip_pdu time: 39.9063
----sip_pdu Attributes
-------call_id: 1-123
(17 Feb '16, 19:44) suryaveer

Sorry for

calculating the response time as a difference of the frame.time_epoch fields of the two requests

This is actually something MATE does for you automatically.

I think you forgot to

Extract method From sip.Method ;

so the Start has nothing to catch on.

(but please do not add the method to the Gop sip On...)

The next thing you need to do is to change your Start and Stop clauses the following way:

Start(method {"SUBSCRIBE"});
Stop(method {"NOTIFY"});

If you do that, MATE will create for you (among others) an item mate.sip.Duration in the tree, containing the time elapsed between the SUBSCRIBE (Start) and NOTIFY (Stop) messages.

So to see the round-trip times in Wireshark, you should be able to make mate.sip.Duration a column in the packet list, and by applying a display filter

sip.Method == "NOTIFY"

you would display only the frames carrying the NOTIFY.

For tshark, you should be able to use

-Y "sip.Method = \"NOTIFY\"" -T fields -e mate.sip.Duration

to output only the response times, so that you could then use some post-processing to analyze them.

Be aware that things go confusing very quickly if your capture contains more than a single NOTIFY per each SUBSCRIBE; you would have to add additional conditions to the display filter so that the proper (i.e. the first) NOTIFY packets would be displayed, such as sip.CSeq.seq == 1 if your server numbers CSeq from 1 in each dialog.

(17 Feb '16, 22:16) sindy

OK, so one more correction after I've found a minute to check it. The distance between the SUBSCRIBE and the first NOTIFY is the mate.sip.Time (displayed in the MATE tree as "sip hold time").

There is a difference in behaviour between Wireshark and tshark:

  • in Wireshark, the sip.mate.Time is shown already in the SUBSCRIBE (both in packet dissection pane and packet list pane if added there as column);

  • in tshark's output, it is not shown until the first NOTIFY is processed; to my surprise, use of -2 (two-pass analysis) has caused it to not to be shown at all instead of causing it to be shown already for the SUBSCRIBE.

The idea was to use -Y "sip.Method == SUBSCRIBE" rather than -Y "sip.Method == NOTIFY and sip.CSeq.seq == 1 to output a single sip.mate.Time value per dialog but it has failed.

(18 Feb '16, 13:43) sindy

@sindy Hey, thanks. I didn't get a notification so totally missed this. I'll try this and get back.

(19 Feb '16, 18:18) suryaveer

As what tshark does (no MATE fields are output at all if you use -2) seems to be a regression preventing you from displaying the mate.sip.Time for the SUBSCRIBE packet, the workaround to display that field only once per each dialog if more than one NOTIFY packet belongs to a dialog is to use the following display filter:

-Y "sip.Method == \"NOTIFY\" and mate.sip_pdu.TimeInGop == mate.sip.Time"

(22 Feb '16, 08:16) sindy
showing 5 of 6 show 1 more comments