This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tried multiple wireshark versions. read Help files, wiki and forums but no one seems to have my issue. Now using wireshark 1.10, I can capture packets using my laptop gig port. I can filter SIP traffic and notice it<s using port 5060, and IP phones are using IP addresses in the 10.x.x.x range.

But if i select that same network card, attempt to add a packet filter (ex: net 10.x.x.x/24, or port 5060, host 10.x.x.x.) no packets are captured. The only filter that actually work is "ip"

what am I doing wrong?

One thing I should mention is that the sip session is mirrored to my ip address, not a mirrored port.

asked 23 Jul '13, 08:17

simseb451's gravatar image

simseb451
11112
accept rate: 0%

One thing I should mention is that the sip session is mirrored to my ip address, not a mirrored port.

How did you do that?

But if i select that same network card, attempt to add a packet filter (ex: net 10.x.x.x/24, or port 5060, host 10.x.x.x.) no packets are captured.

What was the capture filter you used?

(23 Jul '13, 10:09) Kurt Knochner ♦

Are there 802.1q vlan tags in the packets? If so, you will need to use the vlan keyword in your capture filter, e.g.:

vlan and host 10.x.x.x

See also:

If that's not the answer, then maybe you could post a small capture file to cloudshark and share the link to it here.

permanent link

answered 23 Jul '13, 09:50

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Since the filter ip works, it is not vlan or pppoe encapsulation that interferes with your filter. But since you say One thing I should mention is that the sip session is mirrored to my ip address, not a mirrored port., I suspect the protocol hierarchy in your packets must be something like:

ethernet
IP
TCP or UDP
IP
UDP
SIP

All the capture filters you mentioned will filter only on the first IP headers, while you want to filter on the second IP headers or udp port. You will need to build a filter that dynamically skips the first IP/TCP layers. But that filter will depend on the actual layers that are in your trace.

Could you share a couple of packets on www.cloudshark.org and paste the link here? Beware to not upload any sensitive data. That way we can help you build a filter...

permanent link

answered 23 Jul '13, 14:36

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×349
×32
×4
×3

question asked: 23 Jul '13, 08:17

question was seen: 2,654 times

last updated: 23 Jul '13, 14:36

p​o​w​e​r​e​d by O​S​Q​A