Andrena Lefdahl wrote:
> "Q: What is a good filter for just capturing SIP and RTP packets?
>
> port sip
>
> should capture both TCP and UDP traffic to and from that port (if one of
> those filters gets "parse error", try using 5060 instead of sip). For
> SIP traffic to and from other ports, use that port number rather than
> sip.
>
> For RTP packets, you would have to determine one of the port numbers
> that would be used, and specify that port number."
>
> Here are my questions:
>
> 1. port sip is what I need to type into the filter space to get SIP
> traffic right?
Assuming the SIP traffic is going to or from port 5060, the standard SIP
port (and that your OS's getservbyname database has an entry for sip),
yes. If it doesn't have an entry for sip, that'll get an error - try
"port 5060" instead. If the SIP traffic isn't going to or from the
standard port, you'd have to specify that port number.
> 2. It says I have to determine one of the port numbers for RTP, it
> uses several port numbers, will just specifying one of them pick up the
> rest of the RTP traffic?
No. The filter won't be looking for RTP traffic, it'll be looking for
traffic to or from the particular port number or numbers, so you have to
specify all of them in advance.
> 3. So now what is the full syntax that I would type in the filter
> box to answer: "What is a good filter for just capturing SIP and RTP
> packets?"
The answer depends on the port numbers RTP happens to be using.