I am implementing dissector for sip and rtp protocols. I have search a lot on libpcap and wireshark support for filtering sip traffic. Currently, I am using tshark process to execute display filters to capture sip traffic based on some sip header values (eg. call-id). I want to use this feature as a library to integrate with my module. Let me know if this is possible to do by compiling any source as library. asked 10 Jun '14, 18:20  creativeDrive |
One Answer:
O.K. according to your comment, it sounds to me, like you want to create your own version of Wireshark/tshark, limited to SIP/RTP and that you intend to use display filters during the capturing process. Well, then the answer is: There is no 'official' library that's easy to use, because behind the scenes of display filters you will find the whole dissection engine of Wireshark. Yes, you can use that functionality (libwireshark) in your own code, but no it's not simply linking the library against your code. Please read the following answer: Then, if you still think you need that, take a look at projects using libwireshark and learn from their example.
Regards answered 12 Jun '14, 11:38  Kurt Knochner ♦ Thanks Kurt for giving me pointers in right direction. I need to explore more as per my requirement. (12 Jun '14, 12:09) creativeDrive |
If you say module do you mean your dissector?
If so, is your question how to use display filters in the code of your dissector?
Well, currently I am reading existing pcap which dumps all IP packets (because I need all of them in general) and filter through using tshark command (tshark -r <input.pcap> -w <output.pcap> 'sip.Call-Id == "xxxxx"').
As Sip display filters are already available (http://www.wireshark.org/docs/dfref/s/sip.html) I would like to use them as an API with my code to filter out interested traffic. This is kind of 2 pass filter.
But, it would be help if I can apply the display filter while capturing live traffic.