Wireshark mailing list archives
Re: SIP trace with tshark?
From: Graham Bloice <graham.bloice () trihedral com>
Date: Mon, 7 Sep 2020 08:34:33 +0100
There are two filter syntaxes, the capture filter syntax, also known as BPF filters, which is a high performance filter that limits which packets are captured but concentrates on Layer 1-3 filtering and display filters which can operate on any field in any protocol that Wireshark knows about but require full dissection so are lower performing. The capture filter syntax is described here: https://www.wireshark.org/docs/man-pages/pcap-filter.html, and is the default filter for tshark or can be preceded by the -f flag. The display filter syntax is described here: https://www.wireshark.org/docs/man-pages/wireshark-filter.html, and it uses the -Y flag. The display filter syntax can also be used as a "Read" filter to limit the packets read from a capture (and can't be used on a live capture) with the -r flag (which also requires the -2 flag). "sip" isn't part of the display filter syntax so that's why you get the error, also note that capture filters don't use "==". If you use "-f 'udp port 5060' " then that will limit the capture to that UDP port, and hopefully no other protocols will be using it. On Mon, 7 Sep 2020 at 01:11, Nicholas Saunders <saunders.nicholas () gmail com> wrote:
It says that this isn't a valid capture filter due to a syntax error: nicholas $ nicholas $ sudo tshark -f udp.port==5060,sip Running as user "root" and group "root". This could be dangerous. Capturing on 'enp0s25' tshark: Invalid capture filter "udp.port==5060,sip" for interface 'enp0s25'. That string isn't a valid capture filter (can't parse filter expression: syntax error). See the User's Guide for a description of the capture filter syntax. 0 packets captured nicholas $ so I'm still reading the manual, but could sure use a pointer here. thanks, Nick On 2020-09-06 5:02 a.m., Jaap Keuter wrote:On 6 Sep 2020, at 10:59, Nicholas Saunders <saunders.nicholas () gmail com>wrote:How do I monitor port 5060 for SIP traffic? Something like: sudo tshark -d udp.port==5060,http obviously, not http. thanks, NickHi, By default the SIP dissector is quite capable to pick up UDP packets onport 5060 for itself, so configuration like this is usually not needed. Otherwise see what ‘sip’ instead of ‘http’ brings.Thanks, Jaap
-- Graham Bloice
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- SIP trace with tshark? Nicholas Saunders (Sep 06)
- Re: SIP trace with tshark? Jaap Keuter (Sep 06)
- Re: SIP trace with tshark? Nicholas Saunders (Sep 06)
- Re: SIP trace with tshark? Graham Bloice (Sep 07)
- Re: SIP trace with tshark? Nicholas Saunders (Sep 06)
- Re: SIP trace with tshark? Nutkins, Tom (Sep 06)
- Re: SIP trace with tshark? Jaap Keuter (Sep 06)