I have a capture of a VoIP call showing lots of dropped packets do to jitter and wrong time stamps that occur only at the very beginning of the call - according to the WS Player - and have figured out the cause (too many packets hitting at once for the router to handle). The packets in question are the SIP "Notify" ones with <state>early<state>\n in the "Message Body". When I build a filter on most of those packets I get this frame[714:21] == 3c:73:74:61:74:65:3e:65:61:72:6c:79:3c:2f:73:74:61:74:65:3e:0a on others I will get this frame[713:21] == 3c:73:74:61:74:65:3e:65:61:72:6c:79:3c:2f:73:74:61:74:65:3e:0a or frame[715:21] == 3c:73:74:61:74:65:3e:65:61:72:6c:79:3c:2f:73:74:61:74:65:3e:0a The only difference being at the begining. asked 27 May '12, 06:51  EricKnaus |
2 Answers:
It would probably require a code change as you want to filter on the body content. What is the Content-Type: something XML? If so it's easy to add it to the xml dissector. answered 27 May '12, 08:49  Anders ♦ |
Can you please try one of these filters (depends on the protocol):
more general
Change the HEX string to whatever you need. Regards answered 27 May '12, 12:22  Kurt Knochner ♦ edited 27 May '12, 12:28 |
Thanks - I think this is what you are asking about
\n
If this is it, great although I have never done anything to the dissectors.
"<?xml version="1.0"?>\n"
No, as an exaple when the body contains SDP there is this line Content-Type: application/sdp What is the Content-Type: in your case?