Wireshark-users: Re: [Wireshark-users] tcpdump forum ?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 27 Aug 2012 09:56:11 -0700
On Aug 27, 2012, at 5:11 AM, Aktuna, Ilker, Vodafone Turkey wrote:

> Unfortunately, I couldn’t find a forum/mailing list about tcpdump.

tcpdump-workers@xxxxxxxxxxxxxxxxx

See

	http://www.tcpdump.org/#mailing-lists

> Now, my problem is about tcpdump getting only one way traffic if used with a filter. On the server that I use tcpdump, there is libpcap 0.9.4 and tcpdump 3.9.4.
> Normally if I take captures without filter, I can receive 2 way SIP traffic. However, if I put a capture filter like “port 5060” , I can only receive one way traffic in the file created.
>  
> In fact, I know why this happens; the SIP traffic is tunneled with ip protocol 4 (ipip) in one way. So, if I put a filter “port 5060” that doesn’t cover “udp packets under ip protocol 4”. How can I solve this issue ?

By changing the libpcap source code to add an "ipip" term, similar to the "vlan", "mpls", and "pppoes" terms, to

	1) check for IP protocol 4

and

	2) change the offsets used when checking fields in transport-layer headers

building that version of libpcap and linking tcpdump (and other programs you want to support IP-in-IP in capture filters) with that version of libpcap, and capture using "port 5060 and (ipip and port 5060).