On Aug 27, 2012, at 5:11 AM, Aktuna, Ilker, Vodafone Turkey wrote:
> Unfortunately, I couldn’t find a forum/mailing list about tcpdump.
tcpdump-workers@xxxxxxxxxxxxxxxxx
See
http://www.tcpdump.org/#mailing-lists
> Now, my problem is about tcpdump getting only one way traffic if used with a filter. On the server that I use tcpdump, there is libpcap 0.9.4 and tcpdump 3.9.4.
> Normally if I take captures without filter, I can receive 2 way SIP traffic. However, if I put a capture filter like “port 5060” , I can only receive one way traffic in the file created.
>
> In fact, I know why this happens; the SIP traffic is tunneled with ip protocol 4 (ipip) in one way. So, if I put a filter “port 5060” that doesn’t cover “udp packets under ip protocol 4”. How can I solve this issue ?
By changing the libpcap source code to add an "ipip" term, similar to the "vlan", "mpls", and "pppoes" terms, to
1) check for IP protocol 4
and
2) change the offsets used when checking fields in transport-layer headers
building that version of libpcap and linking tcpdump (and other programs you want to support IP-in-IP in capture filters) with that version of libpcap, and capture using "port 5060 and (ipip and port 5060).