Hi,
If I get your question right you want a capture filter for specific SIP “fields”. This question on ask Wireshark discuss a similar topic:
https://ask.wireshark.org/question/1320/how-would-i-map-this-display-filter-to-a-capture-filter/
“he mechanisms that implement capture filters (a mechanism in libpcap
and various OS kernels, where the filter is compiled into a pseudo-machine program and interpretively executed or translated to machine code and executed)…” “…there is no general mechanism for turning
a display filter into a capture filter (and some display filters simply cannot be turned into display filters, as the BPF pseudo-machine does not support looping and thus cannot handle any protocol
whose dissection requires a loop).”
If your SIP signaling happens between known IP addresses and ports you can use those as capture filter to only capture SIP traffic.
Regards
Anders
From: Wireshark-users [mailto:wireshark-users-bounces@xxxxxxxxxxxxx]
On Behalf Of Manolis Katsidoniotis
Sent: den 23 januari 2018 14:11
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] filter application layer frames during capture kernel (SIP)
Hello
Maybe this has been requested in the past but I would like to ask if anyone knows how to filter out specific SIP frames during capture in wireshark and/or tcpdump ...