How To Make Display Filter Accommodate More Strings

Question

Hi For SIP, I'll like to separate Rejected Calls, Cancelled Calls and Completed Calls and save as separate trace captures. So on menu, I open the 'Telephony --> VoIP Calls'. I sort by State. Highlight all Rejected Calls [as an example] and click 'prepare filter' button. Wireshark prepares the filter based on Call ID. For very long filter strings, it shows red. It appears Wireshark has a LIMIT to the display filter string. Please how do I increase it, so that the display filter accepts more string?

alt text

Thanks in Advance

Accepted Answer

While this is not an answer to the exact wording of your question, it could be an answer to your actual need. You may use MATE to augment all SIP messages belonging to a given SIP dialog with the response code to the initial INVITE of that dialog, and then use this pseudo-field in display filter to display all messages of all dialogs whose initial INVITE has been responded by a given response. So you would e.g. use mate.sip_dialog.rsp_code == 486 to display only messages belonging to SIP dialogs which have failed with "busy here".

The mate configuration looks as follows:

Transform rmv_rq_cseq {
    Match (to_tag, rq_cseq) Replace ();
    Match (method="INVITE");
    Match (rq_cseq) Replace ();
};
Transform rmv_low_rc {
Match (rsp_code^"1") Replace ();
Match (rsp_code="401") Replace ();
Match (rsp_code="407") Replace ();
};
Transform rmv_rsp_code {
Match (rq_cseq);
Match (rsp_code) Replace ();
};
Pdu sip_pdu Proto sip Transport ip {
Extract rsp_code From sip.Status-Code;
Extract call_id From sip.Call-ID;
Extract rq_cseq From sip.CSeq.seq;
Extract method From sip.Method;
Extract to_tag From sip.to.tag;
Extract cseq From sip.CSeq;
Transform rmv_rq_cseq, rmv_low_rc;
};
Gop sip_xaction On sip_pdu Match (call_id,cseq) {
Start (method);
Stop (rsp_code);
Extra (call_id, rq_cseq, rsp_code);
Transform rmv_rsp_code;
};
Gog sip_dialog {
Member sip_xaction (call_id);
Extra (rsp_code);
Expiration 86400.0;
};

Answer 2

The generated display filter is too long, as a workaround you can try to replace long filters such as

 (sip.Call-ID == "40befb2f61f6f2021ed5") or (sip.Call-ID == "233bc04c777e49e8e81e")

by this filter (where the Call IDs are abbreviated to a substring):

(sip.Call-ID contains "40befb2f") or (sip.Call-ID contains "233bc04c")

The string can even be shortened further using a regular expression:

sip.Call-ID matches "(40befb2f|233bc04c)"

The first to second conversion can be done with this Python script (save as short.py for example):

#!/usr/bin/env python
# Reads the display filter from console (standard input) and shortens Call-IDs
# to the first 10 characters (see begin and length parameters below).
import sys, re
begin = 0
length = 10
line = sys.stdin.readline()
def repl(match):
    return 'sip.Call-ID contains "%s"' % match.group(1)[begin:begin+length]
print(re.sub('sip.Call-ID == "([^"]+)"', repl, line))