Hi I have been trying to catch sip protocol packets but while capturing. Since my pc is doing a lot of sniffing already I would like to have capture filter instead display filter used. Also its not an option to "parse" already captured traffic (pcap files). My pc has only 1 quad core cpu... and its almost all the time 100% used. As far as Im filtering via tshark on port 5060 or 5070 some packets are captured but I know 'few' is a lot less than I expect. Filtering all traffic captured by other tshark process I can find lets say a lot of those sip packets. My question is: how to set filter to catch only sip packets. asked 22 Mar '16, 06:50  jacetyh |
One Answer:
There are two aspects to your question. One is that for long-term capturing without immediate analysis, it is far better to use dumpcap instead of tshark, as it does less (no display filter processing) so it takes less CPU, and as it does not gradually eat all available memory (search through this site for older Questions dealing with "memory problem"). Another one is how to identify SIP packets using a capture filter. If you say that a capture filter Under specific conditions, you could use a capture filter like This approach will not work for SIP over TCP transport because you cannot rely on SIP messages to start at TCP packet payload. answered 22 Mar '16, 08:39  sindy edited 22 Mar '16, 08:40 |
so to sum up, the best way to capture sip is to use display filter in tshark? I'm very new at this. I spent a lot of time googling the best way for that and, failed. Im considering setting priority to lowest possible for this instance of tshark. Btw where can I find info about filters you mention (udp[8:4] = 0x5349502f and etc) I would like to get more into details on this topic.
As always, it depends on the particular scenario:
if your primary concern is not to miss a single SIP packet in an environment you know nothing about, then yes, you have to give Wireshark/tshark a chance to let the SIP heuristic dissector inspect each UDP and TCP packet, because it is not rare that SIP uses other ports than 5060. Even SIP dialogs which started at 5060 as at least one of the ports may migrate away from it.
if, however, low resource consumption and/or potentially infinite duration of the capture is what bothers you most, and you can use the knowledge about which scenarios exist in that network and which don't, based on analysis of short-term capturing using Wireshark/tshark, you may be able to use a capture filter based on a set of ports and IP addresses.
A good starting point are the examples here, for detailed formal syntax look here. The hex strings I've given in my example are ASCII strings -
SIP/,2.0,INVI,TE, andBYE. The maximum size of data which can be accessed using a singleproto[start:size]expression is 4 bytes. The whole thing is in fact a simple heuristic filter, you would have to add all SIP methods which can be expected in your scenarios. I've already listed its limitations.Thanks, for now its all I needed, I mean lecture and knowledge. For now Ill use display filter, but I will change it to some more suitable for my needs, someday.