Hi, We are having issue while analyzing SIP traffic on centos. Centos server is getting SIP traffic coming via a Switch/Mirror port. I can see both way traffic when i use following command tethereal -i eth0 But i am unable to see incoming traffic when i use following command ethereal -i eth0 port 5060 This seems to happen just for SIP, because when i checked port 161 using below command. I can see both ways traffic tetheral -i eth0 port 161 Regards Farhan asked 20 Feb '15, 04:13  farhan_ft edited 29 Mar '15, 19:02  Guy Harris ♦♦ showing 5 of 7 show 2 more comments |
One Answer:
This looks like the often overlooked issue with VLAN tags. If present the capture filter has to be made aware of it, so that it can (and will) adjust the offset for subsequent field comparisons in the packet. This expression could help you then:
answered 20 Feb '15, 06:51  Jaap ♦ |
and when i saved the output using -w option.
tethereal -i eth0 -w /tmp/trace.pcap
i can see incoming packets on port 5060...
This is the Ask Wireshark website, Ethereal is obsolete and no longer supported.
What is your OS version?
You will be getting a lot of complaints about (t)ethereal being ancient. Never mind that, lets see if we can solve your problem.
Are there VLANs involved when you capture SIP traffic?
As i said i can see the traffic when i i saved the output using -w option. tethereal -i eth0 -w /tmp/trace.pcap
i can see incoming packets on port 5060... but when i use with PORT 5060. I can see only one way traffic. tethereal -i eth0.
centos1 2.6.32-220.el6.x86_64 #1 SMP Tue Dec 6 19:48:22 GMT 2011 x86_64 x86_64 x86_64 GNU/Linux
When i have opened the Captured trace using command "tethereal -i eth0 -w /tmp/trace.pcap" and selected the incoming packet i can see "protocols in frame eth:ethertype:vlan:ethertype:ip:udp:sip:sdp"
@farhan_ft
Your "answers" have been converted to comments as that's how this site works. Please read the FAQ for more information.