This is our old Q&A Site. Please post any new questions and answers at

I am trying to extract the SIP dialog (call) with a specific SIP Call-ID header value. For example, I am trying to run the following command with the noted display filter.

tshark -r Full_SIP-ISDN-GW.pcap -Y "(sip.Call-ID == "[email protected]") or (udp.port==24116 and udp.port==8030)" -w extracted_call.pcap

This display filter works fine in Wireshark, but I am getting the following error when running using in tshark.

tshark: "@" was unexpected in this context.

Does anyone have any ideas on how to get around this?

Thanks in advance.


asked 29 Mar '17, 12:33

Rooster_50's gravatar image

accept rate: 15%

TShark (Wireshark) 2.2.5 (v2.2.5-0-g440fd4d)

(29 Mar '17, 12:38) Rooster_50

Most likely you need to escape the quotes for the string. Please give a try to:

tshark -r Full_SIP-ISDN-GW.pcap -Y "(sip.Call-ID == \"[email protected]\") or (udp.port==24116 and udp.port==8030)" -w extracted_call.pcap
permanent link

answered 29 Mar '17, 13:49

Pascal%20Quantin's gravatar image

Pascal Quantin
accept rate: 30%

That was it Pascal, many thanks!

(29 Mar '17, 13:58) Rooster_50
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 29 Mar '17, 12:33

question was seen: 4,750 times

last updated: 29 Mar '17, 13:58

p​o​w​e​r​e​d by O​S​Q​A