Using tshark filter with SIP tcp trace

0
votes

I have the following trace :

enter image description here:

In the wireshark preferences I have the following option set to Off :

In TCP Prefs : Allow subdissector to reassemble TCP streams

In SIP prefs : Reassemble sIP headers spanning multiple TCP segments

In SIP prefs : Reassemble sIP bodies spanning multiple TCP segments

I am trying to analyze this trace with the tshark command given below. But in the output I am not shown any packets even though the packets are there in the trace : 

[rishabh@pc Test]$tshark -T fields -E header=y -e ip.src -e tcp.srcport -e ip.dst  -e tcp.dstport -R "sip.Status-Code eq 500" -r "4.cap"
ip.src  tcp.srcport ip.dst  tcp.dstport
[rishabh@pc Test]$

How do i modify the filter to capture the highlighted packet?

I found out that if I switch on all of the above wireshark options the TCP packets are shown as : enter image description here

Maybe tshark allows reassembly by default and thus it is not able to filter the packet as a SIP message. Also I am able to capture the data with the tshark filter : "tcp contains '500 Responder'"

But I need to filter it as a sip status code only. How do I achieve this?

Note that the SIP status code is indeed 500, so the initial filter should work.

1
sipwiresharkwireshark-dissector

1 Answers

2
votes

Found the solution:

tshark allows you to set the settings for the reassembly preferences. The preferences are :

Whether subdissector can request TCP streams to be reassembled
TRUE or FALSE (case-insensitive)
tcp.desegment_tcp_streams: TRUE

Whether the SIP dissector should reassemble headers of a request spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings.
TRUE or FALSE (case-insensitive)
sip.desegment_headers: TRUE

Whether the SIP dissector should use the "Content-length:" value, if present, to reassemble the body of a request spanning multiple TCP segments, and reassemble chunked data spanning multiple TCP segments. To use this option, you must also enable "Allow subdissectors to reassemble TCP streams" in the TCP protocol settings.
TRUE or FALSE (case-insensitive)
sip.desegment_body: TRUE

Using these flags with -o option in tshark, preferences can be custiomized. I used the following tshark command for my problem : 

/home/atsuser/Tools/wireshark/tshark -T fields -E header=y -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e frame.number -r 4.cap -o sip.desegment_headers:FALSE -o sip.desegment_body:FALSE -o tcp.desegment_tcp_streams:FALSE -R "sip.Status-Code eq 500"

I found the preference names at the location "%USERPROFILE%\Application Data\Wireshark" on my windows machine.