Convert PCAP file to Text

I searched high and low on how to convert a Wireshark trace in pcap format into a text file. The only help I got, which really helped, was PCAP format file conversion. On command line, you have to run the following command:

tshark -V -r file_to_convert.pcap

It displays the trace as text. To save the output to file, I did the following on Windows 2003:

tshark -V -r file_to_convert.pcap > file_to_convert.txt

Of course, I am assuming you have tshark installed. Since I installed everything when I installed Wireshark, tshark was installed already.

Wireshark Filters

Wireshark or Ethereal traces can be filtered to show exactly what you need. Their website has an awesome Display Filter Reference but sometimes it isn’t very clear on how to use them. This post aims to provide a handful of filters and how to use them.

Filter a SIP Trace by Call ID

You might want to filter a trace when you know the Call ID of a call. You may do it the following way:

sip.Call-ID contains 2211178-3446291419-730335

where 2211178-3446291419-730335 is the Call ID. Some Call IDs may contain other characters which Wireshark may not like (visible by the color of the filter field) so you may have to play with it a bit to get a unique string to look for but something which contains only characters that are “valid”.

How do you get a Call ID? Well, you would have to look through the first INVITE message to get this piece of information.

Wireshark on CentOS

The most obvious way to install Wireshark on CentOS is

yum install wireshark

But if you are in Gnome (I am not sure about KDE because I didn’t test on it), then you have to install this:

yum install wireshark-gnome

Hat tip: SOLVED – Re: [CentOS] wireshark install did not seem to work