> You could try the mailing list archives, where almost this exact
> question was asked and answered a week before you asked it.
In particular, the question "Are there any known extensions to tcpdump to
parse and display SIP (udp/tcp) packets?" was asked in
http://www.tcpdump.org/lists/workers/2001/04/msg00090.html
and the reply (which implicitly answered "no", but mentioned a Perl
script to process the output of "tcpdump -x", and suggested how one
might dissect text-based protocols such as HTTP and SIP) was in
http://www.tcpdump.org/lists/workers/2001/04/msg00097.html
from the April 2001 archives:
http://www.tcpdump.org/lists/workers/2001/04/maillist.html
As for the rest of his questions:
> could someone tell me why tcpdump was not extended for http and sip
The answer is presumably "because nobody bothered doing it".
> and if it can be extended, which would be the appropriate header files
> to change!
The header files that would declare the functions added by the changes,
or that would define macros/etc. used by the functions added by the
changes.
I.e., the change isn't just a matter of tweaking some header files; the
bulk of the changes will be to .c files, not to .h files.
See Bill's reply in
http://www.tcpdump.org/lists/workers/2001/04/msg00097.html
for some suggestions on how one might implement dissection of text-based
protocols such as HTTP and SIP (or FTP or SMTP or...). Note that, by
default, you should *not* print the entire packet; traditionally,
tcpdump has printed, by default, only one line per packet, summarizing
the packet.
The standard behavior should perhaps just print the first line (e.g.,
the request or reply line in HTTP), and with some other option it'd
print the full data. (For example, the SMB dissector used to print
a detailed multiple-line dissection; it now does so only if "-vv" was
specified, i.e. if the "vflag" variable is 2 or greater; the HTTP and
SIP dissectors should perhaps do the same.)
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
