Re: SIP trace with tshark?

[Nicholas Saunders <saunders.nicholas () gmail com>]

It says that this isn't a valid capture filter due to a syntax error:


nicholas $
nicholas $ sudo  tshark -f udp.port==5060,sip
Running as user "root" and group "root". This could be dangerous.
Capturing on 'enp0s25'
tshark: Invalid capture filter "udp.port==5060,sip" for interface 'enp0s25'.

That string isn't a valid capture filter (can't parse filter expression: 
syntax error).
See the User's Guide for a description of the capture filter syntax.
0 packets captured
nicholas $


so I'm still reading the manual, but could sure use a pointer here.



thanks,


Nick


On 2020-09-06 5:02 a.m., Jaap Keuter wrote:
> > On 6 Sep 2020, at 10:59, Nicholas Saunders <saunders.nicholas () gmail com> wrote:
> >
> > How do I monitor port 5060 for SIP traffic?  Something like:
> >
> >
> > sudo  tshark -d udp.port==5060,http
> >
> > obviously, not http.
> >
> >
> >
> > thanks,
> >
> >
> > Nick
> Hi,
>
> By default the SIP dissector is quite capable to pick up UDP packets on port 5060 for itself, so configuration like 
> this is usually not needed. Otherwise see what ‘sip’ instead of ‘http’ brings.
>
> Thanks,
> Jaap
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
>               mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe