Wireshark-users: Re: [Wireshark-users] filter application layer frames during capture kernel (SIP

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Manolis Katsidoniotis <manoska@xxxxxxxxx>
Date: Wed, 24 Jan 2018 18:27:49 +0000
Hello

It's IMS (SIP, diameter, DNS, etc, ...)
I'm already filtering 5060 port only without translating IPs to names
and it's dropping 100s of frames
some of which are part of a failing flow so I can't tell what's happening.

Thus, I need to go in higher and filter more frames during capture so that I don't lose anything.

I'm not looking for complicated display filters functionality

But for example
the first line of any sip INVITE is
INVITE sip:bob@xxxxxxxxxx SIP/2.0
thus I can filter the first 8 bytes of the SIP header and match them to a string == "INVITE"

I could even convert INVITE to hex and do a byte to byte binary match for high speed matching
ie. something like
If bytes[0:5] == 49 4e 56 49 54 45 then keep the frame
otherwise drop it

similar to vlan matching, etc, etc,
and other capture filters which are already in place ...

This way I keep INVITEs and filter out SIP:REGISTER, SIP:MESSAGE, etc, ...
so I have a higher chance of geeting the frames I want.

But I don't see sip as an option in capture filters (I have checked both wireshark and linux:tcpdump)
I can see  tcp port http  but no sip.

If anyone happens to have any ideas let me know.

Thanks
Manolis

On Wed, Jan 24, 2018 at 9:06 AM Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:
So is this traffic all SIP? Would it be sufficient to capture filter on UDP port 5060? Or do you need to index into the UDP payload?

On 24 Jan 2018, at 15:31, Manolis Katsidoniotis <manoska@xxxxxxxxx> wrote:

Hello

Thanks.
Yes further to Guy's comment,
due to high traffic coming from servers which are faster than the capture equipment,
I need to filter during capture otherwise
specific frames which I need are dropped
while others that I don't need are captured.

Thanks
Manolis

On Tue, Jan 23, 2018 at 11:43 AM Guy Harris <guy@xxxxxxxxxxxx> wrote:
On Jan 23, 2018, at 5:31 AM, Dignam, Mark <Mark.Dignam@xxxxxxxx> wrote:

> Yeah in the filter option just add in sip contains XXXXXX (where XXXXXX is the MSISDN or part there of)

That's a *display* filter, so it won't filter out packets during the capture process.

Filtering specific SIP packets at capture time is much harder; see the ask.wireshark.com answer to which Anders pointed.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe