Your problem is occuring because sip is not a valid IP protocol. To use "ip proto <protocol> in a capture filter, from the tcpdump man page, are - "Protocol can be a number or one of the names icmp, igrp, udp, nd, or tcp."
According the SIP RFC 2543 "In an Internet context, SIP is able to utilize both UDP and TCP as transport protocols, among others." I would assume there for that SIP does not run directly over IP but needs UDP or TCP as transport.
If you do want to do capture filter (based on the data at http://www.cs.columbia.edu/sip/assignments.html) you will need to have a filter like "dst port 5060". This will capture both TCP and UDP traffic with a destination port of 5060 which is assigned to SIP. (If your have entry for sip in your "services" file you can also get away with "dst port sip"). Yes, unfortunately, in the case of tcpdump (and in fact most technical literature) an IP "protocol" very specifically is that which rides directly on the IP layer. (For instance HTTP is not an IP protocol but more correctly a transport protocol that rides on the TCP protocol that rides on IP :-)
Fortunately, using simply "sip" as a display filter will trap (presumably) both UDP and TCP based SIP.
(not sure about the TLS stuff, if you know more about SIP you may know if this is appropriate or not to be indentified as well)
Martin Visser
Network Consultant - Global Services
COMPAQ, part of the new HP
3 Richardson Place
North Ryde, Sydney NSW 2113, Australia
Phone (: +61-2-9022-1670 Mobile È: +61-411-254-513
Fax 7: +61-2-9022-1800 E-mail + : martin.visserAThp.com
-----Original Message-----
From: Paul Meyer [mailto:paul.meyer_jr@xxxxxxxxxxx]
Sent: Friday, 26 July 2002 2:12 AM
To: ethereal-users@xxxxxxxxxxxx; ethereal-web@xxxxxxxxxxxx
Cc: paul.meyer_jr@xxxxxxxxxxx; skip.clayton@xxxxxxxxxxx
Subject: [Ethereal-users] setting capture filters
I am having trouble setting capture filters, If I attempt to start ethereal capture and use the following string "ip proto sip" or "ether proto sip" or "proto sip" I recieve a etherreal error dialog box indicating "!Unable to parse filter string(unknown ip proto 'sip')" I have read the FAQ statement on "parse errors" and have the 2.3 version of WinPcap ( downloaded from winpcap.polito.it as is suggested, I believe that I am using the correct syntax and have been able to set filters such as "src host 100.100.100.19" that work correctly, but no luck with filtering with protocols. Am i missing something? Please reply to Paul.meyer_jr@xxxxxxxxxxx
Thanks
Paul.Meyer_jr@xxxxxxxxxxx