I’ve been using a lot of Wireshark display filters lately. When troubleshooting a 100MB capture file setting a filter to search for relevant data is a huge time saver. Below are some of the common filters that I use.
1. Searching for RTP Packets within a specified range that DO NOT have the DSCP field set to “46” or IP PREC 5.
(udp.port >=16384 and udp.port <= 32767) and not(ip.dsfield.dscp==46 or ip.tos.precedence==5)
2. Searches for RTP types other than G.711 or G.729. Why would I need this? If you are using Cisco NBAR to match packets in a class-map the “audio” and “video” keywords only match specific traffic. You can define payload types to match as well. For instance, DTMF is usually payload type 101, T.38 is another dynamic payload type.
not (rtp.p_type==0 or rtp.p_type==18)
3. Searches for SIP Packets that are not sourced from UDP port 5060 or TCP port 5060.
not (udp.srcport==5060 or tcp.srcport==5060) and sip
4. Searches for SIP packets that are not destined for UDP port 5060 or TCP port 5060.
not (udp.dstport==5060 or tcp.dstport==5060) and sip
5. Searches for a specific MPLS label that is not tagged with EXP 5.
mpls.label==123123 and not mpls.exp==5