The problem now is if I try to remove some packets (like watchdog for diameter and SIP for example) I know that the paquet SIP and Diameter I would like to remove are 60 or 70 or 142 or 162 byte length
I tried: ((port 5060 or port 3868) and not len = 70 and not len = 142 and not len = 162) or (vlan and (port 5060 or port 3868))
here, I loose some diameter traffic. I tried too: ((port 5060 or port 3868) and (not len = 70 or not len = 142 or not len = 162)) or (vlan and (port 5060 or port 3868))
still the same
On Thu, Sep 24, 2009 at 03:14:10PM +0200, ketzal devims wrote:
> Now if I do
> port 5060 or (vlan and port 5060)) or port 3868 or (vlan and port 3868))
> -> I can capture Diameter for both sides, but SIP only for responses (as
> if the first _expression_ "port 5060" was omitted)...
Filtering for untagged as well as tagged packets is a little tricky in
tcpdump/tshark/wireshark. The thing to remember is that the word vlan in
the capture filter advances the offset into the packet by 4 bytes (the
length of the 802.1q header). The correct way to do this is to first
filter on all non-tagged frames and the filter for the tagged frames
"(port 5060 or port 3868) or (vlan and (port 5060 or port 3868))"