Wireshark-users: Re: [Wireshark-users] filter application layer frames during capture kernel (SIP
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Wed, 24 Jan 2018 16:03:32 +0100
So is this traffic all SIP? Would it be sufficient to capture filter on UDP port 5060? Or do you need to index into the UDP payload?

On 24 Jan 2018, at 15:31, Manolis Katsidoniotis <manoska@xxxxxxxxx> wrote:

Hello

Thanks.
Yes further to Guy's comment,
due to high traffic coming from servers which are faster than the capture equipment,
I need to filter during capture otherwise
specific frames which I need are dropped
while others that I don't need are captured.

Thanks
Manolis

On Tue, Jan 23, 2018 at 11:43 AM Guy Harris <guy@xxxxxxxxxxxx> wrote:
On Jan 23, 2018, at 5:31 AM, Dignam, Mark <Mark.Dignam@xxxxxxxx> wrote:

> Yeah in the filter option just add in sip contains XXXXXX (where XXXXXX is the MSISDN or part there of)

That's a *display* filter, so it won't filter out packets during the capture process.

Filtering specific SIP packets at capture time is much harder; see the ask.wireshark.com answer to which Anders pointed.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe