Extract only SIP packets for one Call-ID

sachin
sachin
edited October 7 in SIP

How to Extract only SIP packets for one Call-ID into a new pcap from a large PCAP file

Tagged:

Answers

  • sachin
    sachin
    edited October 7

    You can follow

    tshark -r capture.pcap -Y 'sip.Call-ID == "CALLID@example.com"' -w callid_only.pcap

    Replace CALLID@example.com with the Call-ID you want (exact match). The resulting callid_only.pcap contains only packets that match that display filter (SIP messages carrying that Call-ID).

    • Use single quotes around the whole -Y expression to avoid shell interpolation.
    • If the Call-ID contains characters the shell treats specially, escape them or wrap properly.

    You can further check it with sngrep

    sngrep -I callid_only.pcap
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Categories