Ethereal-users: Re: [Ethereal-users] setting capture filters

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxx>
Date: Thu, 25 Jul 2002 13:23:00 -0700
On Thu, Jul 25, 2002 at 09:11:38AM -0700, Paul Meyer wrote:
> I am having trouble setting capture filters, If I attempt to start
> ethereal capture and use the following string "ip proto sip" or "ether
> proto sip" or "proto sip" I recieve a etherreal error dialog box
> indicating "!Unable to parse filter string(unknown ip proto 'sip')"

That's because, well, libpcap (the library Ethereal, tcpdump, etc.  use
to capture packets) doesn't know about any IP protocol - in the sense of
"a protocol that runs *directly* atop IP, with no protocols between it
and IP" - named "sip".

The same applies for "ether proto sip"; libpcap also doesn't know about
any Ethernet protocol - in the sense of a protocol that runs *directly*
atop Ethernet - name "sip".

If "sip" is the Session Initiation Protocol (RFC 2543), the reason for
that may be that it's *NOT* a protocol that runs directly atop IP or
directly atop Ethernet! Instead, it's a protocol that runs atop TCP or
UDP; TCP and UDP run atop IP, and IP *can* run atop Ethernet, but that
doesn't mean that SIP runs directly atop IP or Ethernet.

As such, libpcap will *never* know about "ip proto sip" or "ether proto
sip", because there's no such thing for it to know about.

> I believe that I am using the correct syntax

Your belief is mistaken, if by "sip" you mean the Session Initiation
Protocol, as the correct syntax for a protocol running atop TCP or UDP
would be

	tcp port {protocol}

or

	udp port {protocol}

or

	port {protocol}

*if* the protocol is one that's known to the "getservbyname()" routine
on your machine.

Unfortunately, there's a good chance that it's not, so you'd have to
explicitly specify the TCP or UDP port number for SIP, rather than
specifying the port number by name.  Even if it was, that'd only work if
the standard port number - port 5060 - was being used.

So, if the SIP traffic you're trying to capture is using port 5060,
you'd use

	tcp port 5060

or

	udp port 5060

or

	port 5060

depending on whether you want to capture TCP SIP traffic, UDP SIP
traffic, or both TCP and UDP SIP traffic.