Hi, I am using Mikrotik to stream to Wireshark. To see only the Mikrotik stream and not my local interface I use: udp.port == 37008 How can I drill down into this data stream and only show for example my VoIP (rtp) traffic which comes from my Mikrotik router? asked 29 Mar '14, 16:28  Hoender |
One Answer:
It would help if you can post a screenshot of the packet details you see for a packet that should be decoded as SIP. Or better yet post a pcap file somewhere, for example on cloudshark.org. From reading the Mikrotik docs, it looks like they encapsulate the packets in TZSP, which Wireshark does support and should automatically decode on UDP port 37008. Are you seeing "TZSP" as the protocol inside the UDP packets? If so, the next packet inside the TZSP should be the link-layer packet - either Ethernet or 802.11, and from there it should decode the rest automatically. If the original SIP packets didn't use TCP or UDP port 5060, though, it won't decode them as SIP. You'll have to force it by doing one of the "Decode as..." methods. But again, if you can post the pcap file it would help. answered 30 Mar '14, 12:44  Hadriel |
