This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture filter generated with String-Matching Capture Filter Generator doesn’t work

0

Hi all, I am trying to collect a specific audio codec call on both sides of a SBC. Only a few calls are establishe with AMR (payload 96) while all others are established with G.729. I used String-Matching Capture Filter Generator:

  1. Enter the string you want to match sip || rtp.p_type == 96

  2. Enter the offset from the start of the TCP data 0

  3. Copy the filter below

tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x73697020 && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:4] = 0x7c7c2072 && tcp[((tcp[12:1] & 0xf0) >> 2) + 8:4] = 0x74702e70 && tcp[((tcp[12:1] & 0xf0) >> 2) + 12:4] = 0x5f747970 && tcp[((tcp[12:1] & 0xf0) >> 2) + 16:4] = 0x65203d3d && tcp[((tcp[12:1] & 0xf0) >> 2) + 20:2] = 0x2039 && tcp[((tcp[12:1] & 0xf0) >> 2) + 22:1] = 0x36

but filter doesn't work as expected. Could you please advice ?

thanks in advance

asked 01 Jun '15, 06:24

michele's gravatar image

michele
1111
accept rate: 0%

edited 01 Jun '15, 17:30

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572

One Answer:

2

I think the problem is, that the generator is a String-Matching generator, meaning: it builds capture filters that look for strings, not display filter expressions. Or, in other words: it does not turn display filters into capture filters. So what you're doing is looking for the string "sip || rtp.ptype == 96" inside the packets, not for rtp-p_type being 95 and the protocol being sip.

answered 01 Jun '15, 06:31

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 01 Jun '15, 06:32