This is a static archive of our old Q&A Site. Please post any new questions and answers at

SIP capture filter


Hi, I'm trying to apply a filter to capture only SIP traffic and running into an odd situation. When I leave wireshark with no capture filter, I see the packets I want to capture from host X to host Y on UDP port 5060.

So I applied these filters on the capture options screen one by one: -port 5060 -udp port 5060 -host X

All of them returned nothing. Is there something I'm missing here?

asked 29 Sep '11, 09:26

CulverTech's gravatar image

accept rate: 0%

One Answer:


My bet would be that the SIP traffic is vlan tagged (you can check this by looking closer to the unfiltered SIP traffic). If this is true, prepend your capture filters with "vlan and ..." so the filters will become:

vlan and port 5060
vlan and udp port 5060
vlan and host X

Hope this helps.

answered 29 Sep '11, 09:46

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Aha! yes, they're tagged, didn't realize I had to add that to the filter. Thanks so much

(29 Sep '11, 10:02) CulverTech