SIP capture filter

Question

Hi, I'm trying to apply a filter to capture only SIP traffic and running into an odd situation. When I leave wireshark with no capture filter, I see the packets I want to capture from host X to host Y on UDP port 5060.

So I applied these filters on the capture options screen one by one: -port 5060 -udp port 5060 -host X

All of them returned nothing. Is there something I'm missing here?

Accepted Answer

1

My bet would be that the SIP traffic is vlan tagged (you can check this by looking closer to the unfiltered SIP traffic). If this is true, prepend your capture filters with "vlan and ..." so the filters will become:

vlan and port 5060
vlan and udp port 5060
vlan and host X

Hope this helps.

permanent link

answered 29 Sep '11, 09:46

SYN-bit ♦♦
17.1k●9●57●245
accept rate: 20%

Aha! yes, they're tagged, didn't realize I had to add that to the filter. Thanks so much

(29 Sep '11, 10:02) CulverTech

SIP capture filter

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions