Parsing a SIP-packet .cap file to reach "INFO" field

0
votes

I am trying to parse a pack of SIP-frames which are stored in a .cap file. Everything seems to be working smoothly I read correct data but there is a small fault which I cannot overcome.

I need to get to the INFO field of each frame to get the information about number FROM which the number was dialled and also a TO field to know where the call was made to.

I gather data via dcpdump and store them in a .cap file. While reading the file via Wireshark I can see the field so I know that it was captured correctly. But I need to automate that process so I need to omit using WS.

I tried using tshark with known option -e col.Info (also col.info which is obviously incorrect) but I constantly get:

tshark: Some fields aren't valid: col.Info

My tshark version is 2.2.6 so it should be working as I read that it is valid in versions higher than 1.5 or somewhere around it.

I also tried ChaosReader to create a .html file and that also worked nicely still no info field though. Another way I tried was to use pcap2xml as I thought that an XML should contain ALL the data from the frame but that solution also lets me down.

I am running out of ideas so I came here for support and new suggestions.

Also: a way of parsing that data in Python would be also a plus as I want to process this data later using Python. I tried Scapy but I was not able to obtain the data that I need.

Screen of the Wireshark capturing: Screen of the Wireshark capturing:

2
python-3.xsipwiresharkpacket-capturetshark
I'm not very familiar with SIP. Using a SIP pcap, I tried looking for the Info field, but I can't find any. Wireshark (v2.2.6) also doesn't seem to know it as a Display filter. It has sip.Info-Package though. What version of Wireshark are you using? Do you have an example of such a field (pcap or screen capture)?pchaigno
@pchaingo please find screen attached. I am aim for the last field seen here (to the right)hikamare
Oh, I see. That's a column, not a field per Wireshark's terminology. I was looking for a field in the packets :-) I'll post an answer.pchaigno

2 Answers

1
votes

The column field from Wireshark can be outputted by tshark using the -o column:format:"Info","%i" format. To output this column in addition to the to (sip.to.addr) and from (sip.from.addr) addresses of each SIP packet, you can run:

$ tshark -r input.pcap -o 'column.format:"Info","%i","From","%Cus:sip.from.addr","To","%Cus:sip.to.addr"' sip
Request: REGISTER sip:sip.cybercity.dk  (1 binding) |  sip:[email protected] sip:[email protected]
Status: 401 Unauthorized |  sip:[email protected] sip:[email protected]
Request: REGISTER sip:sip.cybercity.dk  (1 binding) |  sip:[email protected] sip:[email protected]
1
votes

At the suggestion of pchaigno, I'm posting my earlier comment as an answer, edited a bit.

The Wireshark internal application display filter prefix of "_ws." was introduced beginning with Wireshark 1.12.0, so -e col.Info doesn't work after that release; instead you'll need to use -e _ws.col.Info. This was mentioned in the Wireshark 1.12.0 release notes. See also Comment 1 of Wireshark Bug 10201.

This answer is provided as an alternate way to solve the problem, one that lends itself well to automation and scripting. Here's an example:

tshark -r input.pcap -T fields -e _ws.col.Info -e sip.from.addr -e sip.to.addr

Refer to the tshark man page for more information, where -e _ws.col.Info is even used in one of the examples.