[Winpcap-users] Capturing SIP Packets

David Barnish david.barnish at spanlink.com
Wed Mar 28 16:55:33 GMT 2007

We had the same issue and found no filter string to pass to the driver.
Instead, our filter looked for Ethernet packets that were either TCP or
UDP. We then needed to look at the data encapsulated in the TCP or UDP
packet and parse it to determine whether it was a SIP packet.

Our general logic for this data was this:
1. The data must be at least 9 bytes long.
2. The first line of data would contain 3 substrings delimited by a
single space character. Data lines were terminated by CR/LF characters.
3. The first substring would be a SIP command word such as "REGISTER".
(We were only looking for REGISTER messages).
4. The third substring would start with the characters "SIP/"

As an example, the first line of SIP data in a packet may look like
this: "REGISTER sip: SIP/2.0/r/n".
It is a very simple algorithm for looking for a specific type of SIP
packet. It would need to be expanded to capture all SIP packets.
If you know the IP address, port, or MAC of the device receiving the SIP
packet, you could put those into a filter to help with accuracy of your

Hope that helps.

Thank you,
David Barnish
Senior Software Engineer R&D
Spanlink Communications

-----Original Message-----
From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Mesut Timur
Sent: Thursday, March 22, 2007 8:04 AM
To: winpcap-users at winpcap.org
Subject: [Winpcap-users] Capturing SIP Packets

How can I capture sip(session initiation protocol)  packets with
Are there any usable keyword writing it to filter (char packet_filter[]
"xxx";) to capture sip packets?
Thanks for all answers.

Exercise your brain! Try Flexicon. 

Winpcap-users mailing list
Winpcap-users at winpcap.org

More information about the Winpcap-users mailing list