CODEWITHSUNDEEP
sipvoipwiresharktshark
user3197944
user3197944

Reputation: 93

Detecting VoIP Calls from command line - Wireshark

I'm using Wireshark to sniff the network and detect the VoIP calls. Detected VoIP calls can be seen from GUI (Telephony->VoIP Calls).

Now I want to get this list from command line. I searched through wireshark documents, but couldn't find a command to do that.

I'm using the commands like

tshark -r myFile -R "sip.CSeq.method eq INVITE"

from this topic : Filtering VoIP calls with tshark

Is there a command to show that voip call list from command line, or do i have to parse the outputs and create my own list? Do you suggest any other tool to do that?

Any help would be greatly appreciated.

Upvotes: 2

Views: 2955

Answers (1)

yotommy
yotommy

Reputation: 1496

I don't know of any way to coax tshark to give you what the Wireshark GUI does. You can do this by post-processing the output from tshark, but it will be a fair amount of work. One approach would be to:

  • Have tshark to display the full details of the SIP packets (e.g., with -v)
  • Pipe this to a process that will extract info from each packet. This process will need to detect packet boundaries, since the input will have multiple lines per packet.
  • This process will need to store selected info from these packets (such as From, To, Start Time, etc.) and correlate this info across packets based on dialog identifiers.
  • The process will need to understand the SIP protocol well enough to determine when calls are confirmed, terminated, etc.

This is certainly doable, but I wanted you to know what you are getting into.

An alternative to a separate process (that I have no experience with) is to write a Wireshark script in Lua, and invoke that via tshark -Xlua_script:my_script.lua (using a version of tshark compiled with Lua support). An example to help you get started can be found here under the example "Dump VoIP calls into separate files" (or similarly here on Google Code). The advantages are:

  • You automatically have access to the parsed SIP message.
  • It is easy to tell where the packet begins and ends.
  • Everything runs in a single process.

For me, the downside is that I would have to learn a new language (not the worst thing in the world).

EDIT: Looks like the SIP dissector in wireshark/tshark can help quite a bit if you use the Lua script approach; for instance, you can inspect sip.response-request on a SIP response to find the packet number of matching request.

Upvotes: 2

Related Questions