> Now, my question is, I observed a rather unusual behavior of the Ethereal
> software. When I was trying to capture the SIP packets(Enabled all in the
> protocol) while trying to make a call between 2 SIP phones, it didn't gave
> any SIP messages. All I found was the STP(Spanning Tree Protocol), but I was
> able to get SIP packets when I was using the Software Client which was
> installed on the same machine on which the Ethereal software is installed
> (SIP_UA1 and SIP_UA2), and working from a SIP phone. I tried different
> combinations and what I found was, the Ethereal Software was able to trace
> the SIP packets only when the machine on which it was installed was involved
> in the activity.
STP packets are multicast packets, so they'll be seen by any machine
that's set up to receive that multicast address, regardless of whether
that machine is in promiscuous mode or not.
SIP messages, however, are unicast packets, so they'll only be seen by
the machine from which they're being sent or to which they're being
sent, unless the network they're on is capable of promiscuous sniffing
and the network interface doing the sniffing is in promiscuous mode.
Is the *only* traffic you're seeing STP and other broadcast/multicast
traffic?
If so, I think the most likely explanation is that either
1) your hub is a switching hub
or
2) the machine on which you're running Ethereal has a network
interface whose hardware or driver doesn't support
promiscuous mode.
I'm assuming you're capturing in promiscuous mode (otherwise, you won't
see traffic not sent from the machine running Ethereal and not sent to a
MAC address that machine doesn't recognize) and that you're running the
latest version of Ethereal (a few releases ago there was a bug that
caused promiscuous mode not to work with "Update list of captures in
real time" captures).
