Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] No SIP/RTP capture with Realtek RTL8139/810x Fast Ethernet NIC

From: Michael Mei <mmei@xxxxxx>
Date: Wed, 14 Jan 2009 19:01:16 -0500
I found this related thread from July/08 but could not figure out how to properly continue the thread.
 
I am running the latest Wireshark and WinPCAP. I have a real hub (not a switch). I am able to see ARP and ARP replies involving two devices other than my PC's Realtek RTL8139/810x connection to the hub so I know that the hub is working. However I am not able to see SIP and RTP amongst those other two devices and such traffic was definitely flowing when I successfully made phone calls using those devices. Wireshark is configured for promiscuous mode capture. De-installing (rebooting) and re-installing (rebooting) the latest version of Wireshark did not help. I updated the Realtek drivers to the latest (very recent) which did not help.
 
Shou-Kou Shao, have you learned anything since this last post? I have considered but not yet tried loading on old version of the Realtek drivers to see if I can get promiscuous SIP and RTP capture working again.
 
I am running Windows XP Professional on an old Athlon 1.2 GHz with 3/4 Gig RAM.
 
Michael Mei
 
From: Shou-Kuo Shao <skshao@xxxxxxxxxx>
Date: Thu, 17 Jul 2008 08:47:38 +0800

Dear Jaap,

Thanks for the tips. I will try you methods later.

However, I have tried to cpature the phone's packets from three other desktop compuetrs all running Windows XP Professional and can do the work.

My notebook is with Windows XP Home edition, I wionder if this is the problem.

Best Regards

Shou-Kuo Shao




At
�U�� 07:23 2008/7/16 +0200, you wrote:
>Hi,
>
>Does the IP phone use vlan tags? That can spell trouble for the windows network
>driver. Boot up from a Linux live CD with a capture application (Knoppix is a
>good example) and try capturing with that.
>
>Thanx,
>Jaap
>
>Shou-Kuo Shao wrote:
>> Dear Abhik,
>>
>> Thank you for the quick reply.
>>
>> However, the setting of "Capture packets in promiscuous mode" has been
>> selected crrectly. And the device I used is a pure hub. If I ping the IP
>> phone from any places, I could capture the ICMP packets with the IP
>> phone's address. I also could capture any other packets on the net, so
>> the promiscuous mode should be OK.
>>
>>
>> The only problem is the SIP and RTP packets could not be captured. And
>> no cpature filters has been set.
>>
>> Best Regards
>>
>> Shou-Kuo Shao
>>
>>
>> >- When starting the capture, make sure that you select "Capture
>> >packets in promiscuous mode", otherwise only packets coming to and
>> >leaving your laptop will be captured and not everything flowing though
>> >the hub.
>> >- Make sure you are connecting to a hub and not a switch. Otherwise
>> >the capture approach has to be changed.
>> >
>> >HTH
>> >Abhik.
>> >
>> >On Wed, Jul 16, 2008 at 12:20 PM, skshao <skshao@xxxxxxxxxx> wrote:
>> >> Dear gurus,
>> >>
>> >> I have installed the Wireshark 1.0.2 in a notebook with a Realtek
>> RTL8139/810x Family Fast Ethernet Ethernet NIC.
>> >>
>> >> Everything seems OK, when I initialize wireshark to capture the
>> packets over the Ethernet. However, when I attach the notebook to a hub
>> with a IP Phone attached on another port, strange thing happens. The
>> Wireshark could capture packets except those of SIP and RTP related
>> protocols (ex., I ping the IP Phone from the notebook and the packets of
>> ICMP echo request and reply can be captured). No capture filters has
>> been assigned in the Wireshark.
>> >>
>> >> I then initalize a soft phone in the notebook to communicate with
>> the Proxy server and use wireshark to capture the SIP packets. The
>> Wireshrak works well in this way.
>> >>
>> >> I have unistalled WinPacp and wireshark with Revo unistaller (in
>> order to uninstall them completely) and re-install them several times.
>> The situation doesn't change a bit. It just seems that my notebook could
>> not cpature the Ethernet packets of SIP and RTP protocols.
>> >>
>> >> Can anyone help me or give me a clue to solve this? Thank you very
>> much for the help!
>> >>
>> >> Best Regards
>> >>
>> >> Shou-Kuo Shao
>
>_______________________________________________
>Wireshark-users mailing list
>Wireshark-users@xxxxxxxxxxxxx
>https://wireshark.org/mailman/listinfo/wireshark-users
>