Re: tcpdump forum ?

[Guy Harris <guy () alum mit edu>]

On Aug 27, 2012, at 5:11 AM, Aktuna, Ilker, Vodafone Turkey wrote:

> Unfortunately, I couldn’t find a forum/mailing list about tcpdump.

tcpdump-workers () lists tcpdump org

See

        http://www.tcpdump.org/#mailing-lists

> Now, my problem is about tcpdump getting only one way traffic if used with a filter. On the server that I use 
> tcpdump, there is libpcap 0.9.4 and tcpdump 3.9.4.
> Normally if I take captures without filter, I can receive 2 way SIP traffic. However, if I put a capture filter like 
> “port 5060” , I can only receive one way traffic in the file created.
>  
> In fact, I know why this happens; the SIP traffic is tunneled with ip protocol 4 (ipip) in one way. So, if I put a 
> filter “port 5060” that doesn’t cover “udp packets under ip protocol 4”. How can I solve this issue ?

By changing the libpcap source code to add an "ipip" term, similar to the "vlan", "mpls", and "pppoes" terms, to

        1) check for IP protocol 4

and

        2) change the offsets used when checking fields in transport-layer headers

building that version of libpcap and linking tcpdump (and other programs you want to support IP-in-IP in capture 
filters) with that version of libpcap, and capture using "port 5060 and (ipip and port 5060).
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe