linux - tshark SIP协议(protocol)显示崩溃

Question

我正在使用 tshark 协议(protocol)过滤器，因为我需要解析 SIP 数据包的内容。

tshark -r df32c2248fe646a6793ce9a63b124b34@0.0.0.0.pcap -O sip

我明白了:

Frame 14: 553 bytes on wire (4424 bits), 553 bytes captured (4424 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 4.4.4.4 (4.4.4.4), Dst: 3.3.3.3 (3.3.3.3)
User Datagram Protocol, Src Port: 5060 (5060), Dst Port: 5060 (5060)
Session Initiation Protocol (200)
    Status-Line: SIP/2.0 200 OK
        Status-Code: 200
        [Resent Packet: False]
        [Request Frame: 11]
        [Response Time (ms): 115]
        [Release Time (ms): 115]
    Message Header
        Via: SIP/2.0/UDP 2.2.2.2:5060;received=3.3.3.3;branch=z9hG4bK18f6609d-1c76-4a8b-a96b-2cf7d8036d36_6772d868_3067109296759172
            Transport: UDP
            Sent-by Address: 2.2.2.2
            Sent-by port: 5060
            Received: 3.3.3.3
            Branch: z9hG4bK18f6609d-1c76-4a8b-a96b-2cf7d8036d36_6772d868_3067109296759172
        Contact: <sip:14082186500@1.1.1.1:17060>
            Contact URI: sip:14082186500@1.1.1.1:17060
                Contact URI User Part: 14082186500
                Contact URI Host Part: 1.1.1.1
                Contact URI Host Port: 17060
        To: <sip:14082186500@spicyramen.ippbx.com;user=phone>;tag=83174026
            SIP to address: sip:14082186500@spicyramen.ippbx.com;user=phone
                SIP to address User Part: 14082186500
                SIP to address Host Part: spicyramen.ippbx.com
                SIP To URI parameter: user=phone
            SIP to tag: 83174026
        From: <sip:anonymous@sip.ie1.sipprovider.com>;tag=87638703_6772d868_18f6609d-1c76-4a8b-a96b-2cf7d8036d36
            SIP from address: sip:anonymous@sip.ie1.sipprovider.com
                SIP from address User Part: anonymous
                SIP from address Host Part: sip.ie1.sipprovider.com
            SIP from tag: 87638703_6772d868_18f6609d-1c76-4a8b-a96b-2cf7d8036d36
        Call-ID: df32c2248fe646a6793ce9a63b124b34@0.0.0.0
        CSeq: 44365 BYE
            Sequence Number: 44365
            Method: BYE
        User-Agent: 3CXPhoneSystem 14.0.44198.522 (44097)
        Content-Length: 0

如您所见，输出没有崩溃。我想看到这样的东西:

Frame 14: 553 bytes on wire (4424 bits), 553 bytes captured (4424 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 4.4.4.4 (4.4.4.4), Dst: 3.3.3.3 (3.3.3.3)
User Datagram Protocol, Src Port: 5060 (5060), Dst Port: 5060 (5060)
Session Initiation Protocol (200)
    Status-Line: SIP/2.0 200 OK
    Message Header
        Via: SIP/2.0/UDP 2.2.2.2:5060;received=3.3.3.3;branch=z9hG4bK18f6609d-1c76-4a8b-a96b-2cf7d8036d36_6772d868_3067109296759172
        Contact: <sip:14082186500@1.1.1.1:17060>
        To: <sip:14082186500@spicyramen.ippbx.com;user=phone>;tag=83174026
        From: <sip:anonymous@sip.ie1.sipprovider.com>;tag=87638703_6772d868_18f6609d-1c76-4a8b-a96b-2cf7d8036d36
        Call-ID: df32c2248fe646a6793ce9a63b124b34@0.0.0.0
        CSeq: 44365 BYE
        User-Agent: 3CXPhoneSystem 14.0.44198.522 (44097)
        Content-Length: 0

Answer 1

Wireshark
您可以使用 Wireshark 来完成这项工作。
申请 display filter :
啜饮

转到Packet Details Pane 。
展开“ session 启动协议(protocol)”
展开请求行、消息头和消息体*(不展开子树)
转到文件 - 导出 - 导出数据包剖析... - 作为“纯文本”文件...
数据包格式部分:选择“Packet Summery Line”和“Packet Details: As Displayed”
添加文件名并保存文件

*注意
我用过sample file : aaa.pcap
消息体:见223包

TShark
您可以使用 -T 字段并添加所有 fields你需要。
例如:
tshark -r aaa.pcap -Y sip -E header=y -E separator="?"-T 字段 -e frame.number -e sip.Request-Line -e sip.r-uri -e sip.Via -e sip.From -e sip.To -e sip.Call-ID -e sip.Contact - e sip.Expires -e sip.CSeq -e sip.User-Agent -e sip.Content-Length > aaa.csv