SIP Packet Parsing using python

Question

SIP Packet Parsing using python

2.6k Views Asked by Barnala vijaykumar At 04 April 2025 at 14:01

I have a pcap file captured during the VOIP call. From this file, I would like to filter out only the SIP packets and I would like to parse the SIP packets to read the information present in the "SIP message Header" and "SIP Message body" using python.

Any suggestions/sample code would be really helpful.

Original Q&A

There are 1 best solutions below

**Life is complex** · Answer 1

You can access the "SIP message Header" and "SIP Message body" of a SIP packet by querying the field names and field values for the packet.

Here is one way to do this.

import pyshark
import asyncio

pcap_file = 'sip.pcap'

capture = pyshark.FileCapture(pcap_file)
for packet in capture:
    try:
        if hasattr(packet, 'sip'):
            field_names = packet.sip._all_fields
            field_values = packet.sip._all_fields.values()
            for field_name, field_value in zip(field_names, field_values):
                if field_name == 'sip.msg_hdr':
                    print(str(field_value.split('\\xd\\xa')))
                elif field_name == 'sip.msg_body':
                    print(field_value)
    except OSError:
        pass
    except asyncio.TimeoutError:
        pass

sip.msg_hdr output from my code above

['Via: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2118-1-0', 'From: "L16/8000/2" <sip:[email protected]:5060>;tag=1', 'To: test <sip:[email protected]:5060>', 'Call-ID: [email protected]', 'CSeq: 1 INVITE', 'Contact: sip:[email protected]:5060', 'Max-Forwards: 70', 'Content-Type: application/sdp', 'Content-Length:   126', '', 'v=0', 'o=- 42 42 IN IP4 10.0.2.20', 's=-', 'c=IN IP4 10.0.2.20', 't=0 0', 'm=audio 6000 RTP/AVP 99', 'a=rtpmap:99 L16/8000/2', 'a=recvonly', '']
['Via: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2118-1-0', 'From: "L16/8000/2" <sip:[email protected]:5060>;tag=1', 'To: test <sip:[email protected]:5060>', 'Call-ID: [email protected]', 'CSeq: 1 INVITE', 'User-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit', 'Content-Length: 0', '', '']
['Via: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2118-1-0', 'From: "L16/8000/2" <sip:[email protected]:5060>;tag=1', 'To: test <sip:[email protected]:5060>;tag=yHyF9Hv4UgZ3D', 'Call-ID: [email protected]', 'CSeq: 1 INVITE', 'Contact: <sip:[email protected]:5060;transport=udp>', 'User-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit', 'Accept: application/sdp', 'Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE', 'Supported: timer, path, replaces', 'Allow-Events: talk, hold, conference, presence, as-feature-event, dialog, line-seize, call-info, sla, include-session-description, presence.winfo, message-summary, refer', 'Content-Type: application/sdp', 'Content-Disposition: session', 'Content-Length: 229', 'Remote-Party-ID: "test" <sip:[email protected]>;party=calling;privacy=off;screen=no', '', 'v=0', 'o=FreeSWITCH 1480145952 1480145953 IN IP4 10.0.2.15', 's=FreeSWITCH', 'c=IN IP4 10.0.2.15', 't=0 0', 'm=audio 26628 RTP/AVP 99 101', 'a=rtpmap:99 L16/8000/2', 'a=rtpmap:101 telephone-event/8000', 'a=fmtp:101 0-16', 'a=sendonly', 'a=ptime:20', '']
['Via: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2118-1-5', 'From: "L16/8000/2" <sip:[email protected]:5060>;tag=1', 'To: test <sip:[email protected]:5060>;tag=yHyF9Hv4UgZ3D', 'Call-ID: [email protected]', 'CSeq: 1 ACK', 'Contact: sip:[email protected]:5060', 'Max-Forwards: 70', 'Content-Length: 0', '', '']
['Via: SIP/2.0/UDP 10.0.2.15;rport;branch=z9hG4bKyFcaSgFpvZS6c', 'Max-Forwards: 70', 'From: test <sip:[email protected]:5060>;tag=yHyF9Hv4UgZ3D', 'To: "L16/8000/2" <sip:[email protected]:5060>;tag=1', 'Call-ID: [email protected]', 'CSeq: 99750230 BYE', 'User-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit', 'Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE', 'Supported: timer, path, replaces', 'Reason: Q.850;cause=16;text="NORMAL_CLEARING"', 'Content-Length: 0', '', '']
['Via: SIP/2.0/UDP 10.0.2.15;rport;branch=z9hG4bKyFcaSgFpvZS6c', 'From: test <sip:[email protected]:5060>;tag=yHyF9Hv4UgZ3D', 'To: "L16/8000/2" <sip:[email protected]:5060>;tag=1', 'Call-ID: [email protected]', 'CSeq: 99750230 BYE', 'Contact: <sip:10.0.2.20:5060;transport=UDP>', 'Content-Length: 0', '', '']
['Via: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2120-1-0', 'From: "L16/16000/2" <sip:[email protected]:5060>;tag=1', 'To: test <sip:[email protected]:5060>', 'Call-ID: [email protected]', 'CSeq: 1 INVITE', 'Contact: sip:[email protected]:5060', 'Max-Forwards: 70', 'Content-Type: application/sdp', 'Content-Length:   127', '', 'v=0', 'o=- 42 42 IN IP4 10.0.2.20', 's=-', 'c=IN IP4 10.0.2.20', 't=0 0', 'm=audio 6000 RTP/AVP 99', 'a=rtpmap:99 L16/16000/2', 'a=recvonly', '']
['Via: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2120-1-0', 'From: "L16/16000/2" <sip:[email protected]:5060>;tag=1', 'To: test <sip:[email protected]:5060>', 'Call-ID: [email protected]', 'CSeq: 1 INVITE', 'User-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit', 'Content-Length: 0', '', '']
['Via: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2120-1-0', 'From: "L16/16000/2" <sip:[email protected]:5060>;tag=1', 'To: test <sip:[email protected]:5060>;tag=ZtQ8aDD8rSNpS', 'Call-ID: [email protected]', 'CSeq: 1 INVITE', 'Contact: <sip:[email protected]:5060;transport=udp>', 'User-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit', 'Accept: application/sdp', 'Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE', 'Supported: timer, path, replaces', 'Allow-Events: talk, hold, conference, presence, as-feature-event, dialog, line-seize, call-info, sla, include-session-description, presence.winfo, message-summary, refer', 'Content-Type: application/sdp', 'Content-Disposition: session', 'Content-Length: 230', 'Remote-Party-ID: "test" <sip:[email protected]>;party=calling;privacy=off;screen=no', '', 'v=0', 'o=FreeSWITCH 1480148506 1480148507 IN IP4 10.0.2.15', 's=FreeSWITCH', 'c=IN IP4 10.0.2.15', 't=0 0', 'm=audio 24082 RTP/AVP 99 101', 'a=rtpmap:99 L16/16000/2', 'a=rtpmap:101 telephone-event/8000', 'a=fmtp:101 0-16', 'a=sendonly', 'a=ptime:20', '']
['Via: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2120-1-5', 'From: "L16/16000/2" <sip:[email protected]:5060>;tag=1', 'To: test <sip:[email protected]:5060>;tag=ZtQ8aDD8rSNpS', 'Call-ID: [email protected]', 'CSeq: 1 ACK', 'Contact: sip:[email protected]:5060', 'Max-Forwards: 70', 'Content-Length: 0', '', '']
['Via: SIP/2.0/UDP 10.0.2.15;rport;branch=z9hG4bKZr52tB0SS8FSr', 'Max-Forwards: 70', 'From: test <sip:[email protected]:5060>;tag=ZtQ8aDD8rSNpS', 'To: "L16/16000/2" <sip:[email protected]:5060>;tag=1', 'Call-ID: [email protected]', 'CSeq: 99750234 BYE', 'User-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit', 'Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE', 'Supported: timer, path, replaces', 'Reason: Q.850;cause=16;text="NORMAL_CLEARING"', 'Content-Length: 0', '', '']
['Via: SIP/2.0/UDP 10.0.2.15;rport;branch=z9hG4bKZr52tB0SS8FSr', 'From: test <sip:[email protected]:5060>;tag=ZtQ8aDD8rSNpS', 'To: "L16/16000/2" <sip:[email protected]:5060>;tag=1', 'Call-ID: [email protected]', 'CSeq: 99750234 BYE', 'Contact: <sip:10.0.2.20:5060;transport=UDP>', 'Content-Length: 0', '', '']
['Via: SIP/2.0/UDP 10.0.2.20:5060;branch=z9hG4bK-2121-1-0', 'From: "L16/11025" <sip:[email protected]:5060>;tag=1', 'To: test <sip:[email protected]:5060>', 'Call-ID: [email protected]', 'CSeq: 1 INVITE', 'Contact: sip:[email protected]:5060', 'Max-Forwards: 70', 'Content-Type: application/sdp', 'Content-Length:   125', '', 'v=0', 'o=- 42 42 IN IP4 10.0.2.20', 's=-', 'c=IN IP4 10.0.2.20', 't=0 0', 'm=audio 6000 RTP/AVP 99', 'a=rtpmap:99 L16/11025', 'a=recvonly', '']
truncated...

I have tested the code above with multiple pcap files that contain SIP packets. In testing the code produced no errors.

You will need to filters your packets based on your use case.

Here are the items in my SIP packets:

sip.Request-Line
sip.Method
sip.r-uri
sip.r-uri.user
sip.r-uri.host
sip.r-uri.port
sip.resend
sip.msg_hdr
sip.Via
sip.Via.transport
sip.Via.sent-by.address
sip.Via.rport
sip.Via.branch
sip.Max-Forwards
sip.From
sip.display.info
sip.from.addr
sip.from.user
sip.from.host
sip.from.port
sip.from.tag
sip.tag
sip.To
sip.to.addr
sip.to.user
sip.to.host
sip.to.port
sip.to.tag
sip.Call-ID
sip.call_id_generated
sip.CSeq
sip.CSeq.seq
sip.CSeq.method
sip.User-Agent
sip.Allow
sip.Supported
sip.Reason
sip.reason_protocols
sip.reason_cause_q850
sip.reason_text
sip.Content-Length


_ws.expert
sip.unrecognized_header
_ws.expert.message
_ws.expert.severity
_ws.expert.group
sip.msg_body
sdp.version
sdp.owner
sdp.owner.username
sdp.owner.sessionid
sdp.owner.version
sdp.owner.network_type
sdp.owner.address_type
sdp.owner.address
sdp.session_name
sdp.connection_info
sdp.connection_info.network_type
sdp.connection_info.address_type
sdp.connection_info.address
sdp.time
sdp.time.start
sdp.time.stop
sdp.media
sdp.media.media
sdp.media.port_string
sdp.media.port
sdp.media.proto
sdp.media.format
sdp.media_attr
sdp.media_attribute.field
sdp.mime.type
sdp.sample_rate
sdp.fmtp.parameter
sdp.media_attribute.value

----------------------------------------
My system information
----------------------------------------
Platform:    macOS
Python:      3.8.0
Pyshark:     0.4.3
----------------------------------------

SIP Packet Parsing using python

There are 1 best solutions below

Related Questions in PYTHON-3.X

Related Questions in SIP

Related Questions in VOIP

Related Questions in SCAPY

Related Questions in PYSHARK

Trending Questions

Popular # Hahtags

Popular Questions