Reputation: 334
Parsing a SIP-packet .cap file to reach "INFO" field
I am trying to parse a pack of SIP-frames which are stored in a .cap file. Everything seems to be working smoothly I read correct data but there is a small fault which I cannot overcome.
I need to get to the INFO field of each frame to get the information about number FROM which the number was dialled and also a TO field to know where the call was made to.
I gather data via dcpdump and store them in a .cap file. While reading the file via Wireshark I can see the field so I know that it was captured correctly. But I need to automate that process so I need to omit using WS.
I tried using tshark with known option -e col.Info (also col.info which is obviously incorrect) but I constantly get:
tshark: Some fields aren't valid: col.Info
My tshark version is 2.2.6 so it should be working as I read that it is valid in versions higher than 1.5 or somewhere around it.
I also tried ChaosReader to create a .html file and that also worked nicely still no info field though. Another way I tried was to use pcap2xml as I thought that an XML should contain ALL the data from the frame but that solution also lets me down.
I am running out of ideas so I came here for support and new suggestions.
Also: a way of parsing that data in Python would be also a plus as I want to process this data later using Python. I tried Scapy but I was not able to obtain the data that I need.
Screen of the Wireshark capturing:
Upvotes: 0
Views: 1616
Answers (2)
Reputation: 6264
At the suggestion of pchaigno, I'm posting my earlier comment as an answer, edited a bit.
The Wireshark internal application display filter prefix of "_ws." was introduced beginning with Wireshark 1.12.0, so -e col.Info doesn't work after that release; instead you'll need to use -e _ws.col.Info. This was mentioned in the Wireshark 1.12.0 release notes. See also Comment 1 of Wireshark Bug 10201.
This answer is provided as an alternate way to solve the problem, one that lends itself well to automation and scripting. Here's an example:
tshark -r input.pcap -T fields -e _ws.col.Info -e sip.from.addr -e sip.to.addr
Refer to the tshark man page for more information, where -e _ws.col.Info is even used in one of the examples.
Upvotes: 1
Reputation: 13113
The column field from Wireshark can be outputted by tshark using the -o column:format:"Info","%i" format. To output this column in addition to the to (sip.to.addr) and from (sip.from.addr) addresses of each SIP packet, you can run:
$ tshark -r input.pcap -o 'column.format:"Info","%i","From","%Cus:sip.from.addr","To","%Cus:sip.to.addr"' sip
Request: REGISTER sip:sip.cybercity.dk (1 binding) | sip:[email protected] sip:[email protected]
Status: 401 Unauthorized | sip:[email protected] sip:[email protected]
Request: REGISTER sip:sip.cybercity.dk (1 binding) | sip:[email protected] sip:[email protected]
Upvotes: 1
Related Questions
- Parsing SIP message body
- pyshark - data from TCP packet
- How do I parse a captured packet in python?
- How to extract the "info" field from a pcap file?
- Extracting some SIP headers
- How to use scapy to analyze sip/rtp packet?
- python SIP log file processing
- Parse SIP packet in C
- Decode SIP messages with Python
- How can I decode SIP/TLS (non default SIPS port) packets through Wireshark?