5
votes

I'm analyzing VoIP calls on my network

For now i'm using a generated .pcap file, but later i'll be listening for this at real time.

I'm using tshark, and i can filter some important data pretty easily from the .pcap (like "source ip address and port", "destination ip addr and Port", payload pckt lost, Max Delta(ms),Max Jitter(ms),Mean Jitter(ms)) with

tshark -r myfile -q -z rtp,streams

What i want to know is: how can i get the sip addrs of a call? (client and server)

I can retrieve some sip addrs (only client) by filtering all sip INVITE like this:

tshark -r myFile -R "sip.Request-Line contains INVITE"

But i can't get the address of the server.

To clarify a bit, my idea was to get this "statistic" in tshark, like wireshark gives me when i access "Telephony>VoIP Calls" (the same way that tshark -r myfile -q -z rtp,streamsreturns me statistics just like wireshark's Telephony>RTP>Show All Streams), is there a way to do this? If not with "statistics" (-z) how can i create a filter (-R) to do something similar of the "VoIPCall" function of wireshark

I'm using tshark as i want to work with this data, and not just analyze it on my screen

Thanks

2
It is unclear exactly what you want/need. Is it something that provides the information "live" during capture? Or just a command-line interface to get the information provided by the "Telephony > VoIP Calls" GUI option?Toote

2 Answers

5
votes

try:

tshark -r myFile -R "sip.CSeq.method eq INVITE"

That will filter for the request sent from the client and the corresponding reply from the server.

0
votes

I was in a similar situation and ended up going through tshark man pages.

Command: tshark -r input_file.pcap -q -z sip,stat

Explanation:

-r <infile> : Read packet data from infile

-q : When reading a capture file, don't print packet information; this is useful if you're using a -z option to calculate statistics and don't want the packet information printed, just the statistics.

-z <statistics> : Get TShark to collect various types of statistics and display the result after finishing reading the capture file.

You can additionally add filters to the filtering as well, so for example you want to summarize all packets which had only SIP 480 Status Code, you can do so by:

tshark -r input_file.pcap -q -z sip,stat,sip.Status-Code==480

-z sip,stat[,filter] : This option will activate a counter for SIP messages. You will get the number of occurrences of each SIP Method and of each SIP Status-Code

In case you want multiple filters, you can add them one by one

tshark -r input_file.pcap -q -z sip,stat,sip.Status-Code==480 -z sip,stat,sip.Status-Code==500

If you want to summarize by sip address, you can filter by that:

tshark -r input_file.pcap -q -z sip,stat,sip.to.host==sip-to-host.com

Refer:

  1. TShark Man Page: https://www.wireshark.org/docs/man-pages/tshark.html
  2. SIP Filters: https://www.wireshark.org/docs/dfref/s/sip.html