I am using a trace file from a SIP network and it contains duplicate SIP messages because multiple trace points are picking up the same SIP message as it travels from one SIP entity to another. Its not possible to filter using VLANs or using the TTL field, as suggested in an older post. From the "Telepony" tab, SIP option, Wireshark is able to tell me that there are 50 "resent" packets out of the total of 359 packets. Is there some way to filter out these duplicates? asked 05 Sep '13, 09:11  irebo |
2 Answers:
editcap provides some options to remove duplicate frames. See the man page of editcap, options: -d, -D, -w. If your editcap version does not provide those options, please upgrade to the latest release. Regards answered 06 Sep '13, 00:57  Kurt Knochner ♦ |
For the frames identified by the SIP stats as 'resent', those frames should match the display filter 'sip.resend == 1', so you could try to filter these out. answered 06 Sep '13, 04:16  MartinM |
