This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dumpcap capture filter question

Hi,

I am struggling to create a filter to capture VoIP traffic using Dumpcap. I can capture everything but I cannot apply a capture filter successfully. I need to basically capture the following.

Port 13060 TCP/UDP

Port 13061 TCP

Port 13090 TCP/UDP

Ports 54000-65000 UDP

This is the command I have so far.

dumpcap.exe -i 1 -f "SomeTextGoesHere" -a filesize:100000 -w "C:\Users\Administrator\Desktop\Dumpcap\Dumpcap.pcapng" -b files:100

Its the "SomeTextGoesHere" bit I'm struggling with! Is anybody able to help please?

Regards,

Jonathan.

libpcap sip dumpcap voip rtp

asked 07 Apr '16, 02:02

jonathanbaird
6●4●4●7
accept rate: 50%

One Answer:

You're looking for a capture (or tcpdump) filter. The reference page is here.

As that's a bit intense, to get you started you create a filter with expressions and combine them with and, or or not. To include both tcp and udp on port 13060 use "port 13060". To include tcp on port 13061 use "tcp port 13061". To combine these so that packets match the first or the second expression use "port 13060 or tcp port 13061" To specify a range of ports use portrange, e.g. "udp portrange 54000-65000".

answered 07 Apr '16, 03:22

grahamb ♦
19.8k●3●30●206
accept rate: 22%

Thanks Graham I'll give it a go! :)

(07 Apr '16, 04:12) jonathanbaird