This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi I have been trying to catch sip protocol packets but while capturing. Since my pc is doing a lot of sniffing already I would like to have capture filter instead display filter used. Also its not an option to "parse" already captured traffic (pcap files). My pc has only 1 quad core cpu... and its almost all the time 100% used. As far as Im filtering via tshark on port 5060 or 5070 some packets are captured but I know 'few' is a lot less than I expect. Filtering all traffic captured by other tshark process I can find lets say a lot of those sip packets. My question is: how to set filter to catch only sip packets.

asked 22 Mar '16, 06:50

jacetyh's gravatar image

jacetyh
11113
accept rate: 0%


There are two aspects to your question.

One is that for long-term capturing without immediate analysis, it is far better to use dumpcap instead of tshark, as it does less (no display filter processing) so it takes less CPU, and as it does not gradually eat all available memory (search through this site for older Questions dealing with "memory problem").

Another one is how to identify SIP packets using a capture filter. If you say that a capture filter port 5060 or 5070 is too narrow as it misses some SIP traffic, it would mean that there are SIP messages where both source and destination port numbers differ from the two above.

Under specific conditions, you could use a capture filter like (udp[8:4] = 0x5349502f and udp[12:4] = 0x322e3020) or (udp[8:4] = 0x494e5649 & 0x3f3f3f3f and udp[12:3] & 0x3f3f3f = 0x544520) or (udp[8:4] & 0x3f3f3f3f3f = 0x42594520) or ... i.e. you would look for the SIP/2.0 keyword followed by a space character, by which all SIP responses begin, and for names of all known SIP methods followed by a space character at the beginning of UDP payload of each packet, because the SIP/2.0 keyword in requests is not on a fixed place in the packet. The example covers INVITE and BYE and the & 0x3f... is there to ignore letter case, because use of any (even mixed) case is allowed (although rarely used) for notation of SIP methods.

This approach will not work for SIP over TCP transport because you cannot rely on SIP messages to start at TCP packet payload.

permanent link

answered 22 Mar '16, 08:39

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 22 Mar '16, 08:40

so to sum up, the best way to capture sip is to use display filter in tshark? I'm very new at this. I spent a lot of time googling the best way for that and, failed. Im considering setting priority to lowest possible for this instance of tshark. Btw where can I find info about filters you mention (udp[8:4] = 0x5349502f and etc) I would like to get more into details on this topic.

(23 Mar '16, 01:09) jacetyh

the best way to capture sip is to use display filter in tshark?

As always, it depends on the particular scenario:

  • if your primary concern is not to miss a single SIP packet in an environment you know nothing about, then yes, you have to give Wireshark/tshark a chance to let the SIP heuristic dissector inspect each UDP and TCP packet, because it is not rare that SIP uses other ports than 5060. Even SIP dialogs which started at 5060 as at least one of the ports may migrate away from it.

  • if, however, low resource consumption and/or potentially infinite duration of the capture is what bothers you most, and you can use the knowledge about which scenarios exist in that network and which don't, based on analysis of short-term capturing using Wireshark/tshark, you may be able to use a capture filter based on a set of ports and IP addresses.

where can I find info about filters you mention

A good starting point are the examples here, for detailed formal syntax look here. The hex strings I've given in my example are ASCII strings - SIP/, 2.0, INVI, TE, and BYE. The maximum size of data which can be accessed using a single proto[start:size] expression is 4 bytes. The whole thing is in fact a simple heuristic filter, you would have to add all SIP methods which can be expected in your scenarios. I've already listed its limitations.

(23 Mar '16, 03:10) sindy

Thanks, for now its all I needed, I mean lecture and knowledge. For now Ill use display filter, but I will change it to some more suitable for my needs, someday.

(23 Mar '16, 03:50) jacetyh
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×109

question asked: 22 Mar '16, 06:50

question was seen: 3,340 times

last updated: 23 Mar '16, 03:50

p​o​w​e​r​e​d by O​S​Q​A