Re: filter application layer frames during capture kernel (SIP)

[Manolis Katsidoniotis <manoska () gmail com>]

Hello

It's IMS (SIP, diameter, DNS, etc, ...)
I'm already filtering 5060 port *only *without translating IPs to names
and it's dropping 100s of frames
some of which are part of a failing flow so I can't tell what's happening.

Thus, I need to go in higher and filter more frames *during capture* so
that I don't lose anything.

I'm not looking for complicated display filters functionality

But for example
the first line of any sip INVITE is

INVITE sip:bob () biloxi com SIP/2.0

thus I can filter the first 8 bytes of the SIP header and match them to a
string == "INVITE"

I could even convert INVITE to hex and do a *byte to byte *binary match for
high speed matching
ie. something like
If bytes[0:5] == 49 4e 56 49 54 45 then keep the frame
otherwise drop it

similar to vlan matching, etc, etc,
and other capture filters which are already in place ...

This way I keep INVITEs and *filter out* SIP:REGISTER, SIP:MESSAGE, etc, ...
so I have a higher chance of geeting the frames I want.

But I don't see *sip* as an option in *capture *filters (I have checked
both wireshark and linux:tcpdump)
I can see  tcp port http  but no sip.

If anyone happens to have any ideas let me know.

Thanks
Manolis

On Wed, Jan 24, 2018 at 9:06 AM Jaap Keuter <jaap.keuter () xs4all nl> wrote:

> So is this traffic all SIP? Would it be sufficient to capture filter on
> UDP port 5060? Or do you need to index into the UDP payload?
>
> On 24 Jan 2018, at 15:31, Manolis Katsidoniotis <manoska () gmail com> wrote:
>
> Hello
>
> Thanks.
> Yes further to Guy's comment,
> due to high traffic coming from servers which are faster than the capture
> equipment,
> I need to filter during capture otherwise
> specific frames which I need are dropped
> while others that I don't need are captured.
>
> Thanks
> Manolis
>
> On Tue, Jan 23, 2018 at 11:43 AM Guy Harris <guy () alum mit edu> wrote:
>
> > On Jan 23, 2018, at 5:31 AM, Dignam, Mark <Mark.Dignam () ee co uk> wrote:
> >
> > > Yeah in the filter option just add in sip contains XXXXXX (where XXXXXX
> > is the MSISDN or part there of)
> >
> > That's a *display* filter, so it won't filter out packets during the
> > capture process.
> >
> > Filtering specific SIP packets at capture time is much harder; see the
> > ask.wireshark.com answer to which Anders pointed.
> >
> > ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> > Archives:    https://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
> >              mailto:wireshark-users-request () wireshark org
> > ?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request () wireshark org?subject=unsubscribe
> <wireshark-users-request () wireshark org?subject=unsubscribe>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe