[SIPForum-discussion] Wireshark Display Filter

• Previous message: [SIPForum-discussion] Wireshark Display Filter
• Next message: [SIPForum-discussion] Wireshark Display Filter
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

you can do this a number of ways;

ip.addr==a.b.c.d && udp.port == 52560


or you can use ;

ip.addr==a.b.c.d && rtp.ssrc== [ssrc number associated with the call]


what I would use is prob the ip src so I src is only displayed.

ip.src==a.b.c.d && udp.port==52560


good luck ;)
Chris


On Tue, Oct 15, 2013 at 11:28 AM, Tim Garey <tim.garey at myfairpoint.net>wrote:

>  I have a large pcap file with about 7 active calls.  I can see on one
> particular call there is a problem and****
>
> need  to find out when in the trace the RTP stream ends for this call. I
> have identified where it starts****
>
> and ports being used, but it seems nearly impossible to find where it ends
> as the source/dest addresses****
>
> are the same for all calls.****
>
> ** **
>
> Is there a way to create a  Wireshark display filter to show only the RTP
> stream with port = 52560 to IP-address1.****
>
> This would help greatly in troubleshooting****
>
> ** **
>
> Thanks.****
>
> ** **
>
> _______________________________________________
> This is the SIP Forum discussion mailing list
> TO UNSUBSCRIBE, or edit your delivery options, please visit
> http://sipforum.org/mailman/listinfo/discussion
> Post to the list at discussion at sipforum.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://sipforum.org/pipermail/discussion/attachments/20131015/86ca2f0e/attachment-0002.html>

• Previous message: [SIPForum-discussion] Wireshark Display Filter
• Next message: [SIPForum-discussion] Wireshark Display Filter
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]