Minimizing Capture File Size?

The filter syslog.msg contains "INVITE sip:" is not a capture filter, it is a display filter. That means that it doesn't filter out packets from getting into the trace, it only hides them from view. Capture filters are specified in the Capture Options dialog, not in the main window. Unfortunately I do not have a capture filter for you that does what you want to do, but maybe someone else can help you with that.

If nobody can come up with a capture filter you might consider doing a ring buffer capture and running tshark on the files to extract the packets you want every once in a while. That way you can prevent running out of disk space and extract the information you want.

Check out this page for a reference http://wiki.wireshark.org/CaptureFilters

Skip down to the line that starts "Capture HTTP Get" - use this sample as a guide.

To build this filter you'll need a packet capture that contains the kind of packet you're going to be looking for as a reference. In other words, do whatever you've done before and use the display filter you listed above - this should produce a few good representative packets. Click on the packet of interest, in Wireshark's middle frame expand the "Syslog message" tree, and look for the "Message: " line. In there you should see the "INVITE sip:" data, click on it. This should highlight an area of text in Wireshark's 3rd/bottom frame, this is the HEX viewer. You need to note into which HEX locations the characters "INVITE sip:" fall. In the only Syslog sample I have it appears that the syslog message starts in 0030. I ASSume that "INVITE sip:" would be located 0030-003a.

SO, you can start building the filter from there..