问题
I'm analyzing VoIP calls on my network
For now i'm using a generated .pcap file, but later i'll be listening for this at real time.
I'm using tshark, and i can filter some important data pretty easily from the .pcap (like "source ip address and port", "destination ip addr and Port", payload pckt lost, Max Delta(ms),Max Jitter(ms),Mean Jitter(ms)) with
tshark -r myfile -q -z rtp,streams
What i want to know is: how can i get the sip addrs of a call? (client and server)
I can retrieve some sip addrs (only client) by filtering all sip INVITE like this:
tshark -r myFile -R "sip.Request-Line contains INVITE"
But i can't get the address of the server.
To clarify a bit, my idea was to get this "statistic" in tshark, like wireshark gives me when i access "Telephony>VoIP Calls" (the same way that tshark -r myfile -q -z rtp,streamsreturns me statistics just like wireshark's Telephony>RTP>Show All Streams), is there a way to do this? If not with "statistics" (-z) how can i create a filter (-R) to do something similar of the "VoIPCall" function of wireshark
I'm using tshark as i want to work with this data, and not just analyze it on my screen
Thanks
回答1:
try:
tshark -r myFile -R "sip.CSeq.method eq INVITE"
That will filter for the request sent from the client and the corresponding reply from the server.
回答2:
I was in a similar situation and ended up going through tshark man pages.
Command: tshark -r input_file.pcap -q -z sip,stat
Explanation:
-r <infile> : Read packet data from infile
-q : When reading a capture file, don't print packet information; this is useful if you're using a -z option to calculate statistics and don't want the packet information printed, just the statistics.
-z <statistics> : Get TShark to collect various types of statistics and display the result after finishing reading the capture file.
You can additionally add filters to the filtering as well, so for example you want to summarize all packets which had only SIP 480 Status Code, you can do so by:
tshark -r input_file.pcap -q -z sip,stat,sip.Status-Code==480
-z sip,stat[,filter] : This option will activate a counter for SIP messages. You will get the number of occurrences of each SIP Method and of each SIP Status-Code
In case you want multiple filters, you can add them one by one
tshark -r input_file.pcap -q -z sip,stat,sip.Status-Code==480 -z sip,stat,sip.Status-Code==500
If you want to summarize by sip address, you can filter by that:
tshark -r input_file.pcap -q -z sip,stat,sip.to.host==sip-to-host.com
Refer:
- TShark Man Page: https://www.wireshark.org/docs/man-pages/tshark.html
- SIP Filters: https://www.wireshark.org/docs/dfref/s/sip.html
来源:https://stackoverflow.com/questions/10606961/filtering-voip-calls-with-tshark