Wireshark mailing list archives
tcpdump forum ?
From: "Aktuna, Ilker, Vodafone Turkey" <ilker.aktuna () vodafone com>
Date: Mon, 27 Aug 2012 12:11:01 +0000
Hi, Unfortunately, I couldn't find a forum/mailing list about tcpdump. That's why I'd like to ask my question here, as most of the Wireshark users are using tcpdump for capturing traffic. If this is not suitable, please point me to a forum where I could ask about tcpdump. Now, my problem is about tcpdump getting only one way traffic if used with a filter. On the server that I use tcpdump, there is libpcap 0.9.4 and tcpdump 3.9.4. Normally if I take captures without filter, I can receive 2 way SIP traffic. However, if I put a capture filter like "port 5060" , I can only receive one way traffic in the file created. In fact, I know why this happens; the SIP traffic is tunneled with ip protocol 4 (ipip) in one way. So, if I put a filter "port 5060" that doesn't cover "udp packets under ip protocol 4". How can I solve this issue ? Previously, I had another server with different versions of libpcap and tcpdump. Then I was able to capture both way traffic for the same SIP proxy. I assume that was because of the tcpdump or libpcap version but I don't remember which version they were. I also tried with tcpdump version 4.3.0 and lipcap 1.3.0. They produce the same result with currently installed 3.94/0.9.4 To make you better understand the problem , this is how it looks like if I don't put a capture filter: 15:09:21.908057 IP 10.8.8.97.5060 > 10.34.75.153.5072: SIP, length: 526 15:09:21.908065 IP 10.8.8.97.5060 > 10.34.75.153.5072: SIP, length: 526 15:09:21.910438 IP 10.8.8.97.5060 > 10.34.75.153.5072: SIP, length: 552 15:09:21.910448 IP 10.8.8.97.5060 > 10.34.75.153.5072: SIP, length: 552 15:09:21.961323 IP 10.8.8.114 > 10.8.8.122: IP 10.34.75.153.5072 > 10.8.8.97.5060: SIP, length: 408 (ipip-proto-4) 15:09:21.961327 IP 10.8.8.114 > 10.8.8.122: IP 10.34.75.153.5072 > 10.8.8.97.5060: SIP, length: 408 (ipip-proto-4) 15:09:21.983076 IP 10.8.8.114 > 10.8.8.118: IP 10.34.73.120.5072 > 10.8.8.97.5060: SIP, length: 536 (ipip-proto-4) 15:09:21.983079 IP 10.8.8.114 > 10.8.8.118: IP 10.34.73.120.5072 > 10.8.8.97.5060: SIP, length: 536 (ipip-proto-4) 15:09:22.015179 IP 10.8.8.114 > 10.8.8.122: IP 10.34.75.153.5072 > 10.8.8.97.5060: SIP, length: 398 (ipip-proto-4) 15:09:22.015184 IP 10.8.8.114 > 10.8.8.122: IP 10.34.75.153.5072 > 10.8.8.97.5060: SIP, length: 398 (ipip-proto-4) Thanks, ilker Yasal Uyar? : Bu elektronik posta i?bu linki kullanarak ula?abilece?iniz Ko?ul ve ?artlar dokuman?na tabidir http://www.vodafone.com.tr/VodafoneHakkinda/eposta-hukuki-sartlar.php
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- tcpdump forum ? Aktuna, Ilker, Vodafone Turkey (Aug 27)
- Re: tcpdump forum ? Guy Harris (Aug 27)
- Re: tcpdump forum ? Sake Blok (Aug 27)
- Re: tcpdump forum ? Aktuna, Ilker, Vodafone Turkey (Aug 28)
- Re: tcpdump forum ? Sake Blok (Aug 28)
- Re: tcpdump forum ? Aktuna, Ilker, Vodafone Turkey (Aug 28)
- Re: tcpdump forum ? Sake Blok (Aug 29)
- Re: tcpdump forum ? Aktuna, Ilker, Vodafone Turkey (Aug 30)
- Re: tcpdump forum ? Sake Blok (Aug 27)
- Re: tcpdump forum ? Guy Harris (Aug 27)