[Winpcap-users] Capturing SIP Packets
David Barnish
david.barnish at spanlink.com
Wed Mar 28 16:55:33 GMT 2007
We had the same issue and found no filter string to pass to the driver.
Instead, our filter looked for Ethernet packets that were either TCP or
UDP. We then needed to look at the data encapsulated in the TCP or UDP
packet and parse it to determine whether it was a SIP packet.
Our general logic for this data was this:
1. The data must be at least 9 bytes long.
2. The first line of data would contain 3 substrings delimited by a
single space character. Data lines were terminated by CR/LF characters.
3. The first substring would be a SIP command word such as "REGISTER".
(We were only looking for REGISTER messages).
4. The third substring would start with the characters "SIP/"
As an example, the first line of SIP data in a packet may look like
this: "REGISTER sip:192.168.252.138 SIP/2.0/r/n".
It is a very simple algorithm for looking for a specific type of SIP
packet. It would need to be expanded to capture all SIP packets.
If you know the IP address, port, or MAC of the device receiving the SIP
packet, you could put those into a filter to help with accuracy of your
algorithm.
Hope that helps.
Thank you,
David Barnish
Senior Software Engineer R&D
Spanlink Communications
-----Original Message-----
From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Mesut Timur
Sent: Thursday, March 22, 2007 8:04 AM
To: winpcap-users at winpcap.org
Subject: [Winpcap-users] Capturing SIP Packets
How can I capture sip(session initiation protocol) packets with
winpcap?
Are there any usable keyword writing it to filter (char packet_filter[]
=
"xxx";) to capture sip packets?
Thanks for all answers.
_________________________________________________________________
Exercise your brain! Try Flexicon.
http://games.msn.com/en/flexicon/default.htm?icid=flexicon_hmemailtaglin
emarch07
_______________________________________________
Winpcap-users mailing list
Winpcap-users at winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
More information about the Winpcap-users
mailing list