SNGREP does not recognize SIP on my Vlan over Vlan QinQ captures - any solution?

[alaertegv]

Hi, please appreciate your help: it is my second installation of SNGREP, the first one works very well on native PCAPs, but this time the PCAPs are using remote port mirroring so the packets are received with two Vlan encapsulation. If I use sngrep -r eth0 it can not recognize the SIP packets. I need to manually capture with TCPDUMP, use a tool like STRIPE then I can use sngrep offline. But the real nice usage of sngrep for me is the online to capture in real time. Do you know if there is way to solve this challenge?

Thanks for your time. example of Vlan over Vlan that SNGREP cannot recognize SIP packets.docx

[Kaian]

Hi @alaertegv

Sngrep does not support parsing two vlan headers, and the current version is only receiving bugfixes.

If you don't mind, attach a pcap (inside a zip file) to the issue with a sample dialog so we can have some data to test in future releases.

Thanks!

[dovi5988]

Hi,

Is this something that may be considered for the future? If yes I will upload an example in a bit.

[Kaian]

Sure!

pcaps always help for debuging and testing new features. I can check how the headers are and evaluate if this is just skipping some bytes or a more complex enhancement.

Although I will be on holidays a couple of weeks, I'll try to check this afterwards.

Thanks!