Wireshark-users: [Wireshark-users] problem with capturing SIP packets using Tshark
From: Maryam Homayouni <marnameh@xxxxxxxxx>
Date: Thu, 20 Nov 2008 00:47:47 -0800 (PST)
Hi all,
 
I am trying to extract SIP packets' info using tshark but I encountered some problem in this regard. I would be appretiated if any body can help me.
  1. Isn't there any way to CAPTURE only SIP traffic? as I understood we can only specify the source and destination port to capture SIP packets using -f option. the problem of this method is that other packets except SIP ones which are passed to/from specified ports are captured.
  2. Even after stopping SIP transactions, tshark occupies 70-90% of cpu to fill SIP traffic log file, we specified as output. this may last about 1 or even 30 minutes after stopping SIP traffic. The intresting point is that if using Wireshark instead, it does not display any sip traffic after finishing transactions. what is the problem?  is it due to tshark processing mechanisms ? is it buffering all traffics and seperate SIP ones after a while?.. or ..
 
maryam


Now with a new friend-happy design! Try the new Yahoo! Canada Messenger