This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark filter “tcp” is also showing SIP packets

0

Hi all,

Why I type " TCP " in filter box in order to get TCP message,it still display SIP/SDP message ?

could you help me to find the reasion ?

thanks

asked 12 Apr '13, 01:59

vhungvi's gravatar image

vhungvi
1112
accept rate: 0%

edited 16 Apr '13, 00:12

2 Answers:

1

Type 'tcp' in the display filter box, then click the 'Apply' button.

answered 12 Apr '13, 04:22

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks for help! But My mean,After click "Apply",it also display " TCP " and "SIP" message ,other protocols isn't displayed ?

(14 Apr '13, 19:35) vhungvi

If you filter for tcp you will only see TCP traffic. RFC 2543 defines UDP and TCP for SIP. So, what you see is a SIP request made via TCP.

(15 Apr '13, 00:59) Kurt Knochner ♦

hi !It still display all SIP message such as SIP/SDP or SIP within OK,ACK,INVITE ...request.I don't reasion here

(15 Apr '13, 21:33) vhungvi

If you filter for tcp in the display filter box, is it still displaying UDP packets?

If you believe it is, post a screenshot (showing the entire Wireshark window including the filter and the full dissection of one of the UDP packets in question) and post a comment (not an answer - answers aren't for replies to comments, they're for answers to the original question) giving the URL for the screenshot.

(15 Apr '13, 21:37) Guy Harris ♦♦

http://imageshack.us/photo/my-images/515/79266666.png/

here is screenshot.

(15 Apr '13, 21:52) vhungvi

In that screenshot, the selected packet is a TCP packet.

Please select one of the UDP packets and take a new screenshot.

(15 Apr '13, 21:59) Guy Harris ♦♦

HI Guy Harris!

I don't know who changes the title to be " Wireshark filter "tcp" is showing UDP packets ".But my problem here that when i filter " TCP ",wireshark still display SIP packets.Please help me explain it.thanks

(16 Apr '13, 00:11) vhungvi

hi !It still display all SIP message such as SIP/SDP or SIP within

as I said: That's most certainly SIP over TCP (see my comment above).

(16 Apr '13, 05:28) Kurt Knochner ♦
showing 5 of 8 show 3 more comments

0

But my problem here that when i filter " TCP ",wireshark still display SIP packets.

That's NOT a problem! SIP can run over TCP; if you filter for "tcp", Wireshark will show you TCP packets, which includes HTTP(-over-TCP) packets, SMB packets where SMB is running over TCP or over the NetBIOS session service (which runs over TCP), NFS-over-TCP packets, ..., and SIP-over-TCP packets. Expecting not to see any of those packets when you filter for "tcp" is a mistake.

If you don't want to see SIP packets, use the filter "!sip", which means "not SIP".

answered 16 Apr '13, 00:17

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 16 Apr '13, 00:18

OK!thanks for answering

I understand it now.

thanks one more!

(16 Apr '13, 03:05) vhungvi