On Thu, Sep 24, 2009 at 03:14:10PM +0200, ketzal devims wrote:
>
> Now if I do
> port 5060 or (vlan and port 5060)) or port 3868 or (vlan and port 3868))
> -> I can capture Diameter for both sides, but SIP only for responses (as
> if the first expression "port 5060" was omitted)...
Filtering for untagged as well as tagged packets is a little tricky in
tcpdump/tshark/wireshark. The thing to remember is that the word vlan in
the capture filter advances the offset into the packet by 4 bytes (the
length of the 802.1q header). The correct way to do this is to first
filter on all non-tagged frames and the filter for the tagged frames
like this:
"(port 5060 or port 3868) or (vlan and (port 5060 or port 3868))"
Hope this helps,
Cheers,
Sake
PS This is also documented on http://wiki.wireshark.org/VLAN