This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TSHARK Display Filter for SIP Call-ID Header Error

0

I am trying to extract the SIP dialog (call) with a specific SIP Call-ID header value. For example, I am trying to run the following command with the noted display filter.

tshark -r Full_SIP-ISDN-GW.pcap -Y "(sip.Call-ID == "[email protected]") or (udp.port==24116 and udp.port==8030)" -w extracted_call.pcap

This display filter works fine in Wireshark, but I am getting the following error when running using in tshark.

tshark: "@" was unexpected in this context.

Does anyone have any ideas on how to get around this?

Thanks in advance.

Travis

asked 29 Mar '17, 12:33

Rooster_50's gravatar image

Rooster_50
23891218
accept rate: 15%

TShark (Wireshark) 2.2.5 (v2.2.5-0-g440fd4d)

(29 Mar '17, 12:38) Rooster_50

One Answer:

1

Most likely you need to escape the quotes for the string. Please give a try to:

tshark -r Full_SIP-ISDN-GW.pcap -Y "(sip.Call-ID == \"[email protected]\") or (udp.port==24116 and udp.port==8030)" -w extracted_call.pcap

answered 29 Mar '17, 13:49

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

That was it Pascal, many thanks!

(29 Mar '17, 13:58) Rooster_50