SIP Packet Parsing using python

Question

I have a pcap file captured during the VOIP call. From this file, I would like to filter out only the SIP packets and I would like to parse the SIP packets to read the information present in the "SIP message Header" and "SIP Message body" using python.

Any suggestions/sample code would be really helpful.

Please let me know if the my answer helped you solve your issue. — Life is complex, Apr 20 '21 at 12:31
I looked at your errors, which **ARE NOT** being produced by my 21 lines of code. Please post the code that you're using so that I can help you troubleshoot your errors. — Life is complex, May 01 '21 at 13:30
I can't share my PCAP file. I will find a sample pcap file with SIP messages. After running the same on the sample file, I will share both the Code and the output of SIP Header & SIP body. — Barnala vijaykumar, May 02 '21 at 18:28
My code so far has produced zero errors. What type of SIP packages (Vendor?) does your pcap have? — Life is complex, May 02 '21 at 18:49
I reworked my code to use a ZIP function. I have tested this code with 8 different PCAP files that have SIP packets. My code produced no errors, I did note that all of my PCAP have an empty *sip.msg_body.*. It's hard for me to troubleshoot your problems without having access to your PCAP file. — Life is complex, May 03 '21 at 13:43
Can you pls share your pcap file so that I can try at my end? — Barnala vijaykumar, May 04 '21 at 07:38
I used these [Wireshark pcap samples](https://wiki.wireshark.org/SampleCaptures#SIP_and_RTP) in my tests. — Life is complex, May 04 '21 at 11:35
I was looking at the errors you posted on [GitHub Pyshark](https://github.com/KimiNewt/pyshark/issues/467). These errors are related to *asyncio* and not my code. I also noted that your errors seem to be thrown on Microsoft Windows. Are you running a Windows-based OS? — Life is complex, May 05 '21 at 13:31
Have you looked through [Python Bugs](https://bugs.python.org/) for potential answers to your *asyncio* issues? — Life is complex, May 05 '21 at 13:38

Life is complex · Answer 1 · 2021-05-06T22:35:19.700

You can access the "SIP message Header" and "SIP Message body" of a SIP packet by querying the field names and field values for the packet.

Here is one way to do this.

import pyshark
import asyncio

pcap_file = 'sip.pcap'

capture = pyshark.FileCapture(pcap_file)
for packet in capture:
    try:
        if hasattr(packet, 'sip'):
            field_names = packet.sip._all_fields
            field_values = packet.sip._all_fields.values()
            for field_name, field_value in zip(field_names, field_values):
                if field_name == 'sip.msg_hdr':
                    print(str(field_value.split('\\xd\\xa')))
                elif field_name == 'sip.msg_body':
                    print(field_value)
    except OSError:
        pass
    except asyncio.TimeoutError:
        pass

sip.msg_hdr output from my code above

['Via: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2118-1-0', 'From: "L16/8000/2" <sip:sipp@10.0.2.20:5060>;tag=1', 'To: test <sip:test@10.0.2.15:5060>', 'Call-ID: 1-2118@10.0.2.20', 'CSeq: 1 INVITE', 'Contact: sip:sipp@10.0.2.20:5060', 'Max-Forwards: 70', 'Content-Type: application/sdp', 'Content-Length:   126', '', 'v=0', 'o=- 42 42 IN IP4 10.0.2.20', 's=-', 'c=IN IP4 10.0.2.20', 't=0 0', 'm=audio 6000 RTP/AVP 99', 'a=rtpmap:99 L16/8000/2', 'a=recvonly', '']
['Via: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2118-1-0', 'From: "L16/8000/2" <sip:sipp@10.0.2.20:5060>;tag=1', 'To: test <sip:test@10.0.2.15:5060>', 'Call-ID: 1-2118@10.0.2.20', 'CSeq: 1 INVITE', 'User-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit', 'Content-Length: 0', '', '']
['Via: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2118-1-0', 'From: "L16/8000/2" <sip:sipp@10.0.2.20:5060>;tag=1', 'To: test <sip:test@10.0.2.15:5060>;tag=yHyF9Hv4UgZ3D', 'Call-ID: 1-2118@10.0.2.20', 'CSeq: 1 INVITE', 'Contact: <sip:test@10.0.2.15:5060;transport=udp>', 'User-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit', 'Accept: application/sdp', 'Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE', 'Supported: timer, path, replaces', 'Allow-Events: talk, hold, conference, presence, as-feature-event, dialog, line-seize, call-info, sla, include-session-description, presence.winfo, message-summary, refer', 'Content-Type: application/sdp', 'Content-Disposition: session', 'Content-Length: 229', 'Remote-Party-ID: "test" <sip:test@10.0.2.15>;party=calling;privacy=off;screen=no', '', 'v=0', 'o=FreeSWITCH 1480145952 1480145953 IN IP4 10.0.2.15', 's=FreeSWITCH', 'c=IN IP4 10.0.2.15', 't=0 0', 'm=audio 26628 RTP/AVP 99 101', 'a=rtpmap:99 L16/8000/2', 'a=rtpmap:101 telephone-event/8000', 'a=fmtp:101 0-16', 'a=sendonly', 'a=ptime:20', '']
['Via: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2118-1-5', 'From: "L16/8000/2" <sip:sipp@10.0.2.20:5060>;tag=1', 'To: test <sip:test@10.0.2.15:5060>;tag=yHyF9Hv4UgZ3D', 'Call-ID: 1-2118@10.0.2.20', 'CSeq: 1 ACK', 'Contact: sip:sipp@10.0.2.20:5060', 'Max-Forwards: 70', 'Content-Length: 0', '', '']
['Via: SIP/2.0/UDP 10.0.2.15;rport;branch=z9hG4bKyFcaSgFpvZS6c', 'Max-Forwards: 70', 'From: test <sip:test@10.0.2.15:5060>;tag=yHyF9Hv4UgZ3D', 'To: "L16/8000/2" <sip:sipp@10.0.2.20:5060>;tag=1', 'Call-ID: 1-2118@10.0.2.20', 'CSeq: 99750230 BYE', 'User-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit', 'Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE', 'Supported: timer, path, replaces', 'Reason: Q.850;cause=16;text="NORMAL_CLEARING"', 'Content-Length: 0', '', '']
['Via: SIP/2.0/UDP 10.0.2.15;rport;branch=z9hG4bKyFcaSgFpvZS6c', 'From: test <sip:test@10.0.2.15:5060>;tag=yHyF9Hv4UgZ3D', 'To: "L16/8000/2" <sip:sipp@10.0.2.20:5060>;tag=1', 'Call-ID: 1-2118@10.0.2.20', 'CSeq: 99750230 BYE', 'Contact: <sip:10.0.2.20:5060;transport=UDP>', 'Content-Length: 0', '', '']
['Via: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2120-1-0', 'From: "L16/16000/2" <sip:sipp@10.0.2.20:5060>;tag=1', 'To: test <sip:test@10.0.2.15:5060>', 'Call-ID: 1-2120@10.0.2.20', 'CSeq: 1 INVITE', 'Contact: sip:sipp@10.0.2.20:5060', 'Max-Forwards: 70', 'Content-Type: application/sdp', 'Content-Length:   127', '', 'v=0', 'o=- 42 42 IN IP4 10.0.2.20', 's=-', 'c=IN IP4 10.0.2.20', 't=0 0', 'm=audio 6000 RTP/AVP 99', 'a=rtpmap:99 L16/16000/2', 'a=recvonly', '']
['Via: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2120-1-0', 'From: "L16/16000/2" <sip:sipp@10.0.2.20:5060>;tag=1', 'To: test <sip:test@10.0.2.15:5060>', 'Call-ID: 1-2120@10.0.2.20', 'CSeq: 1 INVITE', 'User-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit', 'Content-Length: 0', '', '']
['Via: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2120-1-0', 'From: "L16/16000/2" <sip:sipp@10.0.2.20:5060>;tag=1', 'To: test <sip:test@10.0.2.15:5060>;tag=ZtQ8aDD8rSNpS', 'Call-ID: 1-2120@10.0.2.20', 'CSeq: 1 INVITE', 'Contact: <sip:test@10.0.2.15:5060;transport=udp>', 'User-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit', 'Accept: application/sdp', 'Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE', 'Supported: timer, path, replaces', 'Allow-Events: talk, hold, conference, presence, as-feature-event, dialog, line-seize, call-info, sla, include-session-description, presence.winfo, message-summary, refer', 'Content-Type: application/sdp', 'Content-Disposition: session', 'Content-Length: 230', 'Remote-Party-ID: "test" <sip:test@10.0.2.15>;party=calling;privacy=off;screen=no', '', 'v=0', 'o=FreeSWITCH 1480148506 1480148507 IN IP4 10.0.2.15', 's=FreeSWITCH', 'c=IN IP4 10.0.2.15', 't=0 0', 'm=audio 24082 RTP/AVP 99 101', 'a=rtpmap:99 L16/16000/2', 'a=rtpmap:101 telephone-event/8000', 'a=fmtp:101 0-16', 'a=sendonly', 'a=ptime:20', '']
['Via: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2120-1-5', 'From: "L16/16000/2" <sip:sipp@10.0.2.20:5060>;tag=1', 'To: test <sip:test@10.0.2.15:5060>;tag=ZtQ8aDD8rSNpS', 'Call-ID: 1-2120@10.0.2.20', 'CSeq: 1 ACK', 'Contact: sip:sipp@10.0.2.20:5060', 'Max-Forwards: 70', 'Content-Length: 0', '', '']
['Via: SIP/2.0/UDP 10.0.2.15;rport;branch=z9hG4bKZr52tB0SS8FSr', 'Max-Forwards: 70', 'From: test <sip:test@10.0.2.15:5060>;tag=ZtQ8aDD8rSNpS', 'To: "L16/16000/2" <sip:sipp@10.0.2.20:5060>;tag=1', 'Call-ID: 1-2120@10.0.2.20', 'CSeq: 99750234 BYE', 'User-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit', 'Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE', 'Supported: timer, path, replaces', 'Reason: Q.850;cause=16;text="NORMAL_CLEARING"', 'Content-Length: 0', '', '']
['Via: SIP/2.0/UDP 10.0.2.15;rport;branch=z9hG4bKZr52tB0SS8FSr', 'From: test <sip:test@10.0.2.15:5060>;tag=ZtQ8aDD8rSNpS', 'To: "L16/16000/2" <sip:sipp@10.0.2.20:5060>;tag=1', 'Call-ID: 1-2120@10.0.2.20', 'CSeq: 99750234 BYE', 'Contact: <sip:10.0.2.20:5060;transport=UDP>', 'Content-Length: 0', '', '']
['Via: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2121-1-0', 'From: "L16/11025" <sip:sipp@10.0.2.20:5060>;tag=1', 'To: test <sip:test@10.0.2.15:5060>', 'Call-ID: 1-2121@10.0.2.20', 'CSeq: 1 INVITE', 'Contact: sip:sipp@10.0.2.20:5060', 'Max-Forwards: 70', 'Content-Type: application/sdp', 'Content-Length:   125', '', 'v=0', 'o=- 42 42 IN IP4 10.0.2.20', 's=-', 'c=IN IP4 10.0.2.20', 't=0 0', 'm=audio 6000 RTP/AVP 99', 'a=rtpmap:99 L16/11025', 'a=recvonly', '']
truncated...

I have tested the code above with multiple pcap files that contain SIP packets. In testing the code produced no errors.

You will need to filters your packets based on your use case.

Here are the items in my SIP packets:

sip.Request-Line
sip.Method
sip.r-uri
sip.r-uri.user
sip.r-uri.host
sip.r-uri.port
sip.resend
sip.msg_hdr
sip.Via
sip.Via.transport
sip.Via.sent-by.address
sip.Via.rport
sip.Via.branch
sip.Max-Forwards
sip.From
sip.display.info
sip.from.addr
sip.from.user
sip.from.host
sip.from.port
sip.from.tag
sip.tag
sip.To
sip.to.addr
sip.to.user
sip.to.host
sip.to.port
sip.to.tag
sip.Call-ID
sip.call_id_generated
sip.CSeq
sip.CSeq.seq
sip.CSeq.method
sip.User-Agent
sip.Allow
sip.Supported
sip.Reason
sip.reason_protocols
sip.reason_cause_q850
sip.reason_text
sip.Content-Length


_ws.expert
sip.unrecognized_header
_ws.expert.message
_ws.expert.severity
_ws.expert.group
sip.msg_body
sdp.version
sdp.owner
sdp.owner.username
sdp.owner.sessionid
sdp.owner.version
sdp.owner.network_type
sdp.owner.address_type
sdp.owner.address
sdp.session_name
sdp.connection_info
sdp.connection_info.network_type
sdp.connection_info.address_type
sdp.connection_info.address
sdp.time
sdp.time.start
sdp.time.stop
sdp.media
sdp.media.media
sdp.media.port_string
sdp.media.port
sdp.media.proto
sdp.media.format
sdp.media_attr
sdp.media_attribute.field
sdp.mime.type
sdp.sample_rate
sdp.fmtp.parameter
sdp.media_attribute.value

----------------------------------------
My system information
----------------------------------------
Platform:    macOS
Python:      3.8.0
Pyshark:     0.4.3
----------------------------------------

I tried the above code and while running, got the below error. Error on reading from the event loop self pipe loop: Traceback (most recent call last): File "C:\Users\vijayakb\AppData\Local\Programs\Python\Python39\lib\asyncio\proactor_events.py", line 777, in _loop_self_reading f = self._proactor.recv(self._ssock, 4096) — Barnala vijaykumar, Apr 26 '21 at 07:18
File "C:\Users\vijayakb\AppData\Local\Programs\Python\Python39\lib\asyncio\windows_events.py", line 445, in recv self._register_with_iocp(conn) File "C:\Users\vijayakb\AppData\Local\Programs\Python\Python39\lib\asyncio\windows_events.py", line 718, in _register_with_iocp _overlapped.CreateIoCompletionPort(obj.fileno(), self._iocp, 0, 0) OSError: [WinError 87] The parameter is incorrect — Barnala vijaykumar, Apr 26 '21 at 07:20
I don't understand what is causing the errors in *proactor_events.py* and *windows_events.py* . I added some error handling to my code to see if these errors can be bypassed. Please let me know what happens. — Life is complex, Apr 26 '21 at 10:26
Still I can see the same error with the new code aswell. Error on reading from the event loop self pipe loop: Traceback (most recent call last): File "C:\Users\vijayakb\AppData\Local\Programs\Python\Python39\lib\asyncio\proactor_events.py", line 777, in _loop_self_reading f = self._proactor.recv(self._ssock, 4096) — Barnala vijaykumar, Apr 30 '21 at 10:38
File "C:\Users\vijayakb\AppData\Local\Programs\Python\Python39\lib\asyncio\windows_events.py", line 445, in recv self._register_with_iocp(conn) File "C:\Users\vijayakb\AppData\Local\Programs\Python\Python39\lib\asyncio\windows_events.py", line 718, in _register_with_iocp _overlapped.CreateIoCompletionPort(obj.fileno(), self._iocp, 0, 0) OSError: [WinError 87] The parameter is incorrect — Barnala vijaykumar, Apr 30 '21 at 10:39
(3) Are you using my 21 lines of code by themselves or within another script? — Life is complex, May 01 '21 at 13:31
Python is 3.9.0 & Pyshark is pyshark-0.4.3. I'm using your code for file capture and not using your code with any other script. — Barnala vijaykumar, May 02 '21 at 18:20
I noticed an issue with the code, The same information is captured in both sip_header & sip_body. It is not capturing only SIP header related info in "sip_header" and SIP body related info in "sip_body". — Barnala vijaykumar, May 02 '21 at 18:23
You need to filter the values according to your use case. I posted a list of *field names* to extract values from. — Life is complex, May 02 '21 at 18:47

SIP Packet Parsing using python

1 Answers1