[Winpcap-users] Capturing SIP Packets
david.barnish at spanlink.com
Wed Mar 28 16:55:33 GMT 2007
We had the same issue and found no filter string to pass to the driver.
Instead, our filter looked for Ethernet packets that were either TCP or
UDP. We then needed to look at the data encapsulated in the TCP or UDP
packet and parse it to determine whether it was a SIP packet.
Our general logic for this data was this:
1. The data must be at least 9 bytes long.
2. The first line of data would contain 3 substrings delimited by a
single space character. Data lines were terminated by CR/LF characters.
3. The first substring would be a SIP command word such as "REGISTER".
(We were only looking for REGISTER messages).
4. The third substring would start with the characters "SIP/"
As an example, the first line of SIP data in a packet may look like
this: "REGISTER sip:192.168.252.138 SIP/2.0/r/n".
It is a very simple algorithm for looking for a specific type of SIP
packet. It would need to be expanded to capture all SIP packets.
If you know the IP address, port, or MAC of the device receiving the SIP
packet, you could put those into a filter to help with accuracy of your
Hope that helps.
Senior Software Engineer R&D
From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Mesut Timur
Sent: Thursday, March 22, 2007 8:04 AM
To: winpcap-users at winpcap.org
Subject: [Winpcap-users] Capturing SIP Packets
How can I capture sip(session initiation protocol) packets with
Are there any usable keyword writing it to filter (char packet_filter
"xxx";) to capture sip packets?
Thanks for all answers.
Exercise your brain! Try Flexicon.
Winpcap-users mailing list
Winpcap-users at winpcap.org
More information about the Winpcap-users