Hi,
I think I have a problem with layer 7 regex for sip register packet.
Here it is my example:
Session Initiation Protocol (REGISTER)
Request-Line: REGISTER sip:example.com:5060 SIP/2.0
Method: REGISTER
Request-URI: sip:example.com:5060
Request-URI Host Part: example.com
Request-URI Host Port: 5060
[Resent Packet: True]
[Suspected resend of frame: 237]
Message Header
Via: SIP/2.0/UDP 192.168.88.82:51125;branch=z9hG4bK-d8754z-18289b424d0f7642-1—d8754z-;rport
Max-Forwards: 70
Contact: sip:123@192.168.88.82:51125;rinstance=17f5f3d186743d30
To: “kamil”<sip:123@example.com:5060>
From: “kamil”<sip:123@example.com:5060>;tag=e351b838
Call-ID: MzgzNjMxN2ZkODM4ZDE5ZGE1OTI3NzdmNzU3ZmZmMGM.
[Generated Call-ID: MzgzNjMxN2ZkODM4ZDE5ZGE1OTI3NzdmNzU3ZmZmMGM.]
CSeq: 1 REGISTER
Expires: 120
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REGISTER, SUBSCRIBE, NOTIFY, REFER, INFO, MESSAGE
Supported: replaces
User-Agent: 3CXPhone 6.0.26523.0
Content-Length: 0
I can use a simple regex for matching few words, for example: “sip:example.com:5060”. But I cannot match whole “To” line - “To: “kamil”<sip:123@example.com:5060>”.
I think this isn’t a problem with packet size. Whireshark is showing 610 lenght.
I know there are better solutions for filtering sip signaling, like asterisk for example, but I want to learn layer 7 and this sip is just for example. I also test some sip regex examples and they are working fine, I just dont know why I cannot filter this packet by “To” line. This sip register pcap is in attachment.
Thank you.
sip.zip (896 Bytes)