This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SIP capture filter

0

Hi, I'm trying to apply a filter to capture only SIP traffic and running into an odd situation. When I leave wireshark with no capture filter, I see the packets I want to capture from host X to host Y on UDP port 5060.

So I applied these filters on the capture options screen one by one: -port 5060 -udp port 5060 -host X

All of them returned nothing. Is there something I'm missing here?

asked 29 Sep '11, 09:26

CulverTech's gravatar image

CulverTech
1112
accept rate: 0%

One Answer:

1

My bet would be that the SIP traffic is vlan tagged (you can check this by looking closer to the unfiltered SIP traffic). If this is true, prepend your capture filters with "vlan and ..." so the filters will become:

vlan and port 5060
vlan and udp port 5060
vlan and host X

Hope this helps.

answered 29 Sep '11, 09:46

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Aha! yes, they're tagged, didn't realize I had to add that to the filter. Thanks so much

(29 Sep '11, 10:02) CulverTech