Wireshark-users: [Wireshark-users] SIP filter issues

From: Manolis Katsidoniotis <manoska@xxxxxxxxx>
Date: Mon, 16 Jan 2012 18:53:45 +0200

Hello everyone

I have the following question.

I am filtering a wireshark trace with

((sip.Status-Code==487)&&(sip.to.user contains 46710000))

In other words my intended action is
"please display all 487 status lines for subscribers 46710000* "
or something like: "please show the failed calls for subscribers 46710000* "

however some packets are sent via TCP and are thus multiplexed in TCP stream frames
the filter displays a "matching" result which contains 2 packets:

- 1 with 487 response which I am interested in but for subscribers that I'm "not" interested in ... so the packet is useless

- 1 with other response (180 Ringing) which I'm "not" interested in but for subscribers that I am interested in ... so this packet is also useless

According to my opinion this is a bug in wireshark.
My intention is to display frames in which the filter criteria match in the "same" packet
so in theory these packets should be excluded.

If yes how I can report it?

If no,
does anyone happen to know
how I can "filter out" these packets and display only the ones that match both criteria in the same packet?




Thanks in advance
Manolis