This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to filter OPTIONS messages

0

Hi All,

To filter out OPTIONS message in wireshark traces, I could not find a way. Whatever I tried, broke another thing and since there are too many OPTIONS heartbeat message and 200 OK response to these message, I need to filter them out for sure.

I tried these 2 things too add in addition to "camel || inap || tcap || sip" filter

1- When I tried to add below sentence to the filters, it also filters 180 Ringing messages, that I do not know why. sip.Method != "OPTIONS"

2- When I tried to add below sentence to the filters, it shows all messages except OPTIONS messages including TCP IP, ARP, Heartbeat messages.

!(sip.Method == "OPTIONS")

I would appreciate for your assitance, thanks

asked 26 Sep '12, 13:13

optionsboy's gravatar image

optionsboy
6113
accept rate: 0%

One Answer:

2

Here is what both filters mean:

  1. sip.Method != "OPTIONS" means "There is at least one sipMethod field that does not have the value 'OPTIONS'"
  2. !(sip.Method == "OPTIONS") means "There is no sipMethod field that has the value 'OPTIONS'"

So in 1) there needs to be a sip.Method field to make the filter match, while in 2) there does not need to be a sip.Method field present.

How about the filter sip.Method && !(sip.Method == "OPTIONS") ?

answered 26 Sep '12, 13:24

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks for the answer. But I already tried also -> sip.Method && !(sip.Method == "OPTIONS")

this is not filtering 200 OK responses to OPTIONS message. This is just filtering OPTIONS messages. As I told there are too many OPTIONS and 200 OK messages as a response to these messages. I need to filter out 2 of them

I do not want to filter all 200 OK messages, just the ones which are responses to OPTIONS messages

(26 Sep '12, 14:15) optionsboy

(I converted your answer to a comment, please review the FAQ for details)

Wireshark filters work on PDUs and a request is one PDU and the response is another. So wireshark can not filter the "200 OK" messages in the way you want by default.

However, with MATE, you can indeed link requests to responses and create a filter that only deletes the SIP messages of method OPTIONS and the corresponding responses. I do not have a MATE script ready for that though, you will need to cook one yourself based on the (limited) examples provided.

(26 Sep '12, 14:28) SYN-bit ♦♦

I have no information about MATE script. I could not find enough example for me to create a one.

So, still I need an answer, if some has already tried this. Because, this should be a popular filtering in all SIP messaging networks.

so for now sip.Method != "OPTIONS" filter is better for me because it was filtering all OPTIONS and 200 OK response to OPTIONS message, but it is also filtering some extra messages which includes the word "options"...

(26 Sep '12, 14:46) optionsboy

I just downloaded a SIP trace from www.pcapr.net, in this trace both requests and responses have the sip.CSeq.method field. Does your SIP traffic has that field too? If it does, you might be able to achieve your goal with:

sip && !(sip.CSeq.method == "OPTIONS")
(26 Sep '12, 15:10) SYN-bit ♦♦

Thanks a million

(26 Sep '12, 15:48) optionsboy