I am trying to setup a way to filter for specific phone phones during a wireshark capture. I am not sure what filter I should use. I tried the sip.To and sdp.phone filters with no success. Any ideas? Thanks! asked 28 Apr '11, 07:00  Travis Young |
4 Answers:
Capture filters based on BPF and predates any VoIP protocols. And you can't use display filters when capturing. However, if you have a limited number of phone numbers, you can always use byte offset syntax to specify the phone number. Lookup the syntax for specifying byte offset. For example, tcp[0:2] > 1024 will capture tcp packets whose source port is greater than 1024. The 0:2 means start at the first byte of the tcp header, and look at two bytes worth. Look at http://acs.lbl.gov/~jason/tcpdump_advanced_filters.txt for some more examples on using filters and masks. Might turn into a PIA project, but it can be done. answered 28 Apr '11, 16:56  hansangb |
Since you mention
I don't claim to know SIP, but based on RFC2361, the To Header Field and From Header Field (both of which are string fields, terminated by
So, let's say the target phone number is 555-123-4567. Your display filters would be:
answered 28 Apr '11, 17:01  helloworld 1 Thanks for the advice thus far! I would like to find a way to create a capture filter that can look for certain phones numbers and only capture those VOIP conversations. I would typically have between 1-3 phone numbers being monitored. As I have it now, I am catching every phone call made on the system. I am confident that as I add the monitoring to more servers space will become an issue. I do have a ring buffer setup for 100 files that are 100 megs each. (29 Apr '11, 11:58) Travis Young 1 It would help if you told us the capture filter(s) you're currently using and even more helpful would be a sample pcap. Help us help you! :) (29 Apr '11, 12:03) bstn I am currently using currently using "host xxx.xxx.xxx.xxx", which is the IP of voice gateway, as my capture filter. (29 Apr '11, 12:19) Travis Young |
Sounds like you're looking for a Call Recorder, something Wireshark is not. answered 30 Apr '11, 02:06  Jaap ♦ 1 While I am looking to record calls, I also need the ability to to see the full process of the call starting/ending. As we need to dissect a call and see if the issue is on my companies side or the phone companies side. We normally use Wireshark to monitor various customers as issues arises, and common tasks are as follows: 1: If the phone company has been stripping out the DTMF tones. 2: To see when/if/why/how our application is starting its automated recording before a customer has answered their phone. 3: To monitor calls so we can see if our application or the phone company is hanging up on customers. If we can streamline the process and make it a faster process, that would be great. As it stands, we spend about a half hour per person (per customer) each day. If what I need is a call recorder. I would need it: 1: To capture all of the packets for each call 2: Display dual channels so I can visually see the call while listening to it, 3: Show me a graph of the call so that I can see where the call was initiated and ended. Any recommendations? (04 May '11, 06:28) Travis Young |
Check this out http://wiki.wireshark.org/Lua/Examples section: Dump VoIP calls into separate files answered 04 May '11, 19:23  izopizo edited 04 May '11, 19:24 I noticed that the script calls for a MYSQL DB. Does it really need it? Each of our machines resources are closely regulated, so adding the mysql client would be an issue. (05 May '11, 05:54) Travis Young @Travis, It doesn't need to be MySQL, but the script does rely on some kind of DB. The LuaSQL library supports several different DBs (including SQLite). If you can't have this dependency, then an alternative might be to replace those DB calls with Lua functions. Also note that this script assumes the OS is *nix (based on the (05 May '11, 07:37) bstn |
The main reasons for BPF to be not as extensive as diplay filtering are: