Hi,
What you are trying to do is probably impossible. If you manage to do a capture filter of “INVITE” chances are that this packet is fragmented and the filter would then drop the fragments
And you end up with incomplete messages. To me the solutions(s) are to ether filter out unwanted traffic or only wanted traffic by filtering on IP, port or IP proto or something similar.
If you have media included, you don’t want that…
If you get duplicated packets in your trace you could try to refine the monitor/span settings. You can also try to beef up your capturing platform.
On what OS and version are you doing capture? What is the packet rate? You can find that under Statistics->Capture file properties. This info would be
Interesting to us to know the current limitations.
Created by Wireshark 2.5.0 (ESVN Rev 4040 from /trunk)
File
Name:
C:\Development\bgfOL_00716_20180105123632.gz
Length:
200 MB
Format:
Wireshark/... - pcapng (gzip compressed)
Encapsulation:
Ethernet
Time
First packet:
2018-01-05 12:36:32
Last packet:
2018-01-05 12:36:52
Elapsed:
00:00:20
Capture
Hardware:
Intel(R) Xeon(R) CPU E5-2430 0 @ 2.20GHz (with SSE4.2)
OS:
Linux 4.4.0-96-generic
Application:
Dumpcap (Wireshark) 2.5.0-3990- (ESVN Rev 3990 from /trunk)
Interfaces
Interface
Dropped packets
Capture filter
Link type
Packet size limit
eth3
Unknown
ip net 10.80.29.80/28
Ethernet
65535 bytes
Statistics
Measurement
Captured
Displayed
Marked
Packets
220867
220867 (100.0%)
—
Time span, s
20.341
20.341
—
Average pps
10858.1
10858.1
—
Average packet size, B
872
872
—
Bytes
192634113
192634113 (100.0%)
0
Average bytes/s
9470 k
9470 k
—
Average bits/s
75 M
75 M
—
If you capture with Wireshark - don’t. Use dumpcap and look at the resulting file(s).
Best regards
Anders
From: Wireshark-users [mailto:wireshark-users-bounces@xxxxxxxxxxxxx]
On Behalf Of Jaap Keuter
Sent: den 25 januari 2018 08:31
To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] filter application layer frames during capture kernel (SIP)
Hello
It's IMS (SIP, diameter, DNS, etc, ...)
I'm already filtering 5060 port only without translating IPs to names
and it's dropping 100s of frames
some of which are part of a failing flow so I can't tell what's happening.
Thus, I need to go in higher and filter more frames
during capture so that I don't lose anything.
I'm not looking for complicated display filters functionality
But for example
the first line of any sip INVITE is
INVITE sip:bob@xxxxxxxxxx SIP/2.0
thus I can filter the first 8 bytes of the SIP header and match them to a string == "INVITE"
I could even convert INVITE to hex and do a byte to byte binary match for high speed matching
ie. something like
If bytes[0:5] == 49 4e 56 49 54 45 then keep the frame
otherwise drop it
similar to vlan matching, etc, etc,
and other capture filters which are already in place ...
This way I keep INVITEs and filter out SIP:REGISTER,
SIP:MESSAGE, etc, ...
so I have a higher chance of geeting the frames I want.
But I don't see sip as an option in capture
filters (I have checked both wireshark and linux:tcpdump)
I can see tcp port http but no
sip.
If anyone happens to have any ideas let me know.
So is this traffic all SIP? Would it be sufficient to capture filter on UDP port 5060? Or do you need to index into the UDP payload?
Hello
Thanks.
Yes further to Guy's comment,
due to high traffic coming from servers which are faster than the capture equipment,
I need to filter during capture otherwise
specific frames which I need are dropped
while others that I don't need are captured.
Manolis
On Jan 23, 2018, at 5:31 AM, Dignam, Mark <Mark.Dignam@xxxxxxxx> wrote:
> Yeah in the filter option just add in sip contains XXXXXX (where XXXXXX is the MSISDN or part there of)
That's a *display* filter, so it won't filter out packets during the capture process.
Filtering specific SIP packets at capture time is much harder; see the
ask.wireshark.com answer to which Anders pointed.
