Ok, it work... thanks a lot
that was the simple filter...
The problem now is if I try to remove some packets (like watchdog for diameter and SIP for example)
I know that the paquet SIP and Diameter I would like to remove are 60 or 70 or 142 or 162 byte length
I tried:
((port 5060 or port 3868) and not len = 70 and not len = 142 and not len = 162) or (vlan and (port 5060 or port 3868))
here, I loose some diameter traffic.
I tried too:
((port 5060 or port 3868) and (not len = 70 or not len = 142 or not len = 162)) or (vlan and (port 5060 or port 3868))
still the same
I'm really bad in boolean tests :(
Sorry
Louis
2009/9/24 Sake Blok
<sake@xxxxxxxxxx>
On Thu, Sep 24, 2009 at 03:14:10PM +0200, ketzal devims wrote:
>
> Now if I do
> port 5060 or (vlan and port 5060)) or port 3868 or (vlan and port 3868))
> -> I can capture Diameter for both sides, but SIP only for responses (as
> if the first _expression_ "port 5060" was omitted)...
Filtering for untagged as well as tagged packets is a little tricky in
tcpdump/tshark/wireshark. The thing to remember is that the word vlan in
the capture filter advances the offset into the packet by 4 bytes (the
length of the 802.1q header). The correct way to do this is to first
filter on all non-tagged frames and the filter for the tagged frames
like this:
"(port 5060 or port 3868) or (vlan and (port 5060 or port 3868))"
Hope this helps,
Cheers,
Sake
PS This is also documented on http://wiki.wireshark.org/VLAN
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
