Re: SIP trace with tshark?

[Graham Bloice <graham.bloice () trihedral com>]

There are two filter syntaxes, the capture filter syntax, also known as BPF
filters, which is a high performance filter that limits which packets are
captured but concentrates on Layer 1-3 filtering and display filters which
can operate on any field in any protocol that Wireshark knows about but
require full dissection so are lower performing.

The capture filter syntax is described here:
https://www.wireshark.org/docs/man-pages/pcap-filter.html, and is the
default filter for tshark or can be preceded by the -f flag.

The display filter syntax is described here:
https://www.wireshark.org/docs/man-pages/wireshark-filter.html, and it uses
the -Y flag.  The display filter syntax can also be used as a "Read" filter
to limit the packets read from a capture (and can't be used on a live
capture) with the -r flag (which also requires the -2 flag).

"sip" isn't part of the display filter syntax so that's why you get the
error, also note that capture filters don't use "==".  If you use "-f 'udp
port 5060' " then that will limit the capture to that UDP port, and
hopefully no other protocols will be using it.

On Mon, 7 Sep 2020 at 01:11, Nicholas Saunders <saunders.nicholas () gmail com>
wrote:

> It says that this isn't a valid capture filter due to a syntax error:
>
>
> nicholas $
> nicholas $ sudo  tshark -f udp.port==5060,sip
> Running as user "root" and group "root". This could be dangerous.
> Capturing on 'enp0s25'
> tshark: Invalid capture filter "udp.port==5060,sip" for interface
> 'enp0s25'.
>
> That string isn't a valid capture filter (can't parse filter expression:
> syntax error).
> See the User's Guide for a description of the capture filter syntax.
> 0 packets captured
> nicholas $
>
>
> so I'm still reading the manual, but could sure use a pointer here.
>
>
>
> thanks,
>
>
> Nick
>
>
> On 2020-09-06 5:02 a.m., Jaap Keuter wrote:
> > > On 6 Sep 2020, at 10:59, Nicholas Saunders <saunders.nicholas () gmail com>
> wrote:
> > > How do I monitor port 5060 for SIP traffic?  Something like:
> > >
> > >
> > > sudo  tshark -d udp.port==5060,http
> > >
> > > obviously, not http.
> > >
> > >
> > >
> > > thanks,
> > >
> > >
> > > Nick
> > Hi,
> >
> > By default the SIP dissector is quite capable to pick up UDP packets on
> port 5060 for itself, so configuration like this is usually not needed.
> Otherwise see what ‘sip’ instead of ‘http’ brings.
> > Thanks,
> > Jaap


-- 
Graham Bloice

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe