[prev in list] [next in list] [prev in thread] [next in thread]
List: ethereal-users
Subject: RE: [Ethereal-users] setting capture filters
From: "Visser, Martin (Sydney)" <Martin.Visser () hp ! com>
Date: 2002-07-26 7:20:52
[Download RAW message or body]
Your problem is occuring because sip is not a valid IP protocol. To use "ip proto \
<protocol> in a capture filter, from the tcpdump man page, are - "Protocol can be a \
number or one of the names icmp, igrp, udp, nd, or tcp."
According the SIP RFC 2543 "In an Internet context, SIP is able to utilize both UDP \
and TCP as transport protocols, among others." I would assume there for that SIP \
does not run directly over IP but needs UDP or TCP as transport.
If you do want to do capture filter (based on the data at \
http://www.cs.columbia.edu/sip/assignments.html) you will need to have a filter like \
"dst port 5060". This will capture both TCP and UDP traffic with a destination port \
of 5060 which is assigned to SIP. (If your have entry for sip in your "services" file \
you can also get away with "dst port sip"). Yes, unfortunately, in the case of \
tcpdump (and in fact most technical literature) an IP "protocol" very specifically is \
that which rides directly on the IP layer. (For instance HTTP is not an IP protocol \
but more correctly a transport protocol that rides on the TCP protocol that rides on \
IP :-)
Fortunately, using simply "sip" as a display filter will trap (presumably) both UDP \
and TCP based SIP.
(not sure about the TLS stuff, if you know more about SIP you may know if this is \
appropriate or not to be indentified as well)
Martin Visser
Network Consultant - Global Services
COMPAQ, part of the new HP
3 Richardson Place
North Ryde, Sydney NSW 2113, Australia
Phone (: +61-2-9022-1670 Mobile È: +61-411-254-513
Fax 7: +61-2-9022-1800 E-mail + : martin.visserAThp.com
-----Original Message-----
From: Paul Meyer [mailto:paul.meyer_jr@alcatel.com]
Sent: Friday, 26 July 2002 2:12 AM
To: ethereal-users@ethereal.com; ethereal-web@ethereal.com
Cc: paul.meyer_jr@alcatel.com; skip.clayton@alcatel.com
Subject: [Ethereal-users] setting capture filters
I am having trouble setting capture filters, If I attempt to start ethereal capture \
and use the following string "ip proto sip" or "ether proto sip" or "proto sip" I \
recieve a etherreal error dialog box indicating "!Unable to parse filter \
string(unknown ip proto 'sip')" I have read the FAQ statement on "parse errors" and \
have the 2.3 version of WinPcap ( downloaded from winpcap.polito.it as is suggested, \
I believe that I am using the correct syntax and have been able to set filters such \
as "src host 100.100.100.19" that work correctly, but no luck with filtering with \
protocols. Am i missing something? Please reply to Paul.meyer_jr@alcatel.com
Thanks
Paul.Meyer_jr@alcatel.com
_______________________________________________
Ethereal-users mailing list
Ethereal-users@ethereal.com
http://www.ethereal.com/mailman/listinfo/ethereal-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic