Wireshark-users: [Wireshark-users] tcpdump forum ?

From: "Aktuna, Ilker, Vodafone Turkey" <ilker.aktuna@xxxxxxxxxxxx>
Date: Mon, 27 Aug 2012 12:11:01 +0000

Hi,

 

Unfortunately, I couldn’t find a forum/mailing list about tcpdump. That’s why I’d like to ask my question here, as most of the Wireshark users are using tcpdump for capturing traffic.

If this is not suitable, please point me to a forum where I could ask about tcpdump.

 

Now, my problem is about tcpdump getting only one way traffic if used with a filter. On the server that I use tcpdump, there is libpcap 0.9.4 and tcpdump 3.9.4.

Normally if I take captures without filter, I can receive 2 way SIP traffic. However, if I put a capture filter like “port 5060” , I can only receive one way traffic in the file created.

 

In fact, I know why this happens; the SIP traffic is tunneled with ip protocol 4 (ipip) in one way. So, if I put a filter “port 5060” that doesn’t cover “udp packets under ip protocol 4”. How can I solve this issue ?

 

Previously, I had another server with different versions of libpcap and tcpdump. Then I was able to capture both way traffic for the same SIP proxy.

I assume that was because of the tcpdump or libpcap version but I don’t remember which version they were. I also tried with tcpdump version 4.3.0 and lipcap 1.3.0. They produce the same result with currently installed 3.94/0.9.4

 

To make you better understand the problem , this is how it looks like if I don’t put a capture filter:

 

15:09:21.908057 IP 10.8.8.97.5060 > 10.34.75.153.5072: SIP, length: 526

15:09:21.908065 IP 10.8.8.97.5060 > 10.34.75.153.5072: SIP, length: 526

15:09:21.910438 IP 10.8.8.97.5060 > 10.34.75.153.5072: SIP, length: 552

15:09:21.910448 IP 10.8.8.97.5060 > 10.34.75.153.5072: SIP, length: 552

15:09:21.961323 IP 10.8.8.114 > 10.8.8.122: IP 10.34.75.153.5072 > 10.8.8.97.5060: SIP, length: 408 (ipip-proto-4)

15:09:21.961327 IP 10.8.8.114 > 10.8.8.122: IP 10.34.75.153.5072 > 10.8.8.97.5060: SIP, length: 408 (ipip-proto-4)

15:09:21.983076 IP 10.8.8.114 > 10.8.8.118: IP 10.34.73.120.5072 > 10.8.8.97.5060: SIP, length: 536 (ipip-proto-4)

15:09:21.983079 IP 10.8.8.114 > 10.8.8.118: IP 10.34.73.120.5072 > 10.8.8.97.5060: SIP, length: 536 (ipip-proto-4)

15:09:22.015179 IP 10.8.8.114 > 10.8.8.122: IP 10.34.75.153.5072 > 10.8.8.97.5060: SIP, length: 398 (ipip-proto-4)

15:09:22.015184 IP 10.8.8.114 > 10.8.8.122: IP 10.34.75.153.5072 > 10.8.8.97.5060: SIP, length: 398 (ipip-proto-4)

 

 

Thanks,

ilker


Yasal Uyarı :
Bu elektronik posta işbu linki kullanarak ulaşabileceğiniz Koşul ve Şartlar dokumanına tabidir
http://www.vodafone.com.tr/VodafoneHakkinda/eposta-hukuki-sartlar.php