Wireshark is an open source network analyzing utility that is useful for diagnosing and resolving network issues. It can be especially helpful in VoIP telephony as packet captures provide insight into specific protocols used for internet phone calls. Wireshark can be used to not only obtain network packet captures but also analyze existing captures. The purpose of this article is to provide an overview of this program to assist users in obtaining and interpreting packet captures.
Obtaining a Capture
To obtain a capture using Wireshark, you must ensure you have the program installed on your machine. If you do not yet have it, you can get it here for Windows/Mac: {+}http://www.wireshark.org/download.html+ If you are using Linux please see the information here: {+}http://www.wireshark.org/docs/wsug_html_chunked/ChapterBuildInstall.html+
Once you have Wireshark installed you can apply various filters to obtain the desired information. As a rule, it is best to filter less when obtaining the capture and apply the filters when examining the capture. Limiting the filters while capturing ensures you do not miss valuable information such as RTP traffic.
To capture traffic on a Windows machine, open Wireshark and click 'Capture->Interfaces', select the interface you wish to capture on and click 'Start'. You can also click Capture->Options and experiment with the various settings.
To capture traffic on Linux, you would type the following command in the CLI: (without the tags) where –i eth1 represents the interface you wish to capture on and host represents the IP address of the traffic you wish to capture. There is a myriad of syntax options that can be used when capturing packets. For example, if you wish only to capture SIP packets on a specific telephone number, you can use (without the tags). Notice the upper-case T and F in the syntax; this is necessary, otherwise you will receive an error. The single quotes are also necessary. Note the difference in the first example when capturing just on the IP address; there are no single quotes or upper-case letters. You will have to experiment with syntax to determine what works best for you but as previously mentioned it is best to filter less when creating the capture and then apply the filters when reading the capture. Essentially, any filter that can be used when obtaining the capture can be used when reading it. For instance, the aforementioned sip.To/From example could be entered in the 'Filter:' text box in the Wireshark GUI to find any SIP packets to or from the specified number.
Notice that the background color of the filter is green; however, also take note that unlike the command line, the filter box does not contain the single quotes. Wireshark is intuitive enough to guide you in your filter syntax. Adding the single quotes creates a red background color to indicate the syntax is invalid:
...