Wireshark can display, analyze and collect packets from the network.
Information on LUA can be found at http://en.wikipedia.org/wiki/Lua_(programming_language) or in the WIRESHARK User manual. By default LUA is disabled and can be enabled by editing the init.lua file at the WIRESHARK global configuration directory. Changing the disable_lua from true to false will do the trick. Now when the WIRESHARK is initialized if LUA is enabled it will activate the init.lua file from the user’s directory .
The full list of protocols can be found
1 Linux Affix Bluetooth stack only. 2 PPP non-control frames only. 3 Latest libpcap CVS required 4 On some platforms: WLAN non-control frames only, with fake Ethernet headers, and only traffic to and from the machine doing the capturing. 5 Windows does not have a UNIX-style loopback interface.
In this architecture the PC where the WIRESHARK is installed is assumed to have the multimedia software as well. That can be a softphone like eConf from France Telecom, SJPhone (An ASTERIX based softphone), IP softphone 6.x from AVAYA etc. Or the computer is a third party equipment that is sending commands or receiving information from another network element directly involved with that. That may be the case where there is a WEB interface that manages the gateway, the SIP proxy, the multimedia system etc.
We are assuming that we want to capture signaling and/or RTP packets from the multimedia equipment.
In a HUB/Shared media all packets, unicasts to other stations as well as ours, multicasts and broadcast can be observed.
In a switch unicast packets not directed to the entity cannot be seen.
Most medium priced Ethernet switches support port mirroring/copying (Spanning). When port mirroring is configured between from one switch port (source) to a to another (destination) port then packets coming to/from source will also appear on the destination- NO the reverse won’t be true!! In sophisticated networks it is even possible to see all the traffic from one port/vlan on another switch port not necessarily on the same switch. Cisco has that. By the way Cisco names copy porting as Spanning. http://wiki.wireshark.org/SwitchReference
As a matter of fact after choosing an interface from the background of the picture above and then stopping the capture you can get the small window for choosing the same or another interface.
By clicking Capture Interfaces Options on the Interface menu you choose the interface you want to collect packets from. There are some important fields here.
“ Capture Packets in promiscuous mode ” If you do not click you will only be able to see packets specifically addressed to your computer, unless another process in your computer put the mode to promiscuous mode. Display Options: Update list of packets in real time The packets will be displayed while in capture. If not ticked then all packets will be visible only after the capturing is stopped in WIRESHARK. Automatic scrolling in live capture When ticked the scrolling to the last captured packet is done automatically. Hide capture info dialog By not ticking that option you will already see some statistics when capturing. Percentage of specific protocols in capture, total captured packets etc. While capturing the packets are stored in a small buffer. It is possible to save packets while capturing, in a single file or multiple files by limiting the size of each file. When you press start capturing starts.
From the main WIRESHARK window choose Edit Preferences . Some useful fields: Time format- Normally it is relative. The first packet arriving at 0.000 seconds. You can choose absolute time or one packet’s arrival can serve as a REFERENCE from which all the other packets’ arrival times are recomputed.
Some protocols do not have default port numbers and/or unrecognized and as such we need to tell WIRESHARK how to parse them.
The display above has been obtained on a previously captured file. It is ordered by source address. It is achieved by clicking on the “Source” column. Other types of ordering can also be used. I advise to play with that.
Compound filters are built by combining simple filters with logical operations such as “and”, “or”.
You do not need to know the exact syntax of the filter expression. The WIRESHARK GUI helps you on that. When you click the “Expression” button a new window as shown above opens. By clicking on the relevant protocol’s “+” sign all the available fields appear and you can easily build the filter you want. As in the classical filter typing the last thing to do would be to press “Apply” to see packets displayed according to your filter. You can filter the display in real-time while collecting and over a capture file. In real-time you might get the wrong impression that it is also capturing according to that filter. That is not true!!
The filter above when activated will show only the H.245 packets among all the captured packets.
The lines you see in the filter window are the filters defined. If we want to define a new filter for saving purposes: 1- Click new 2- Type the name of the filter- free text 3- Type the filter string 4- Click OK Now the filter is saved. Next time the filter edit/apply button is clicked the name of this filter will also appear in the filter names window. By choosing any filter and then clicking Apply will activate the filter.
Among the logical operators the most interesting is the string operator which can have a couple of formats: [n:m] In this syntax n is the start of the field and m is the length of the string. For example eth.src[0:3] == 00:00:83 searches packets with MAC addresses which have the first three bytes as above. [n-m] In this syntax n is the start of the field and m is the end. If we want to have a similar filter as above in this syntax we can use eth.src[0-2] ==00:00:83. This type of filtering in the example can be very useful if you need to capture packets from/to specific company product NICs. Another simple example. (ip.src == 10.0.0.1) and (ip.dst==10.0.0.3)
When you click the capture filter icon you get a small window. If you want to configure a new capture filter click the “ New ” button. By default the name of the capture filter and the capture string is “ new ”. Change the name of the capture filter and enter a capture filter string as will be explained. If some capture filters are already defined as is the case in the picture above then simply choose one and do whatever editing you want to do. At this stage you have only saved the new filter.
If we click on the new1 filter the ascii text of the filter also appears. In this example we are interested in capturing packets from /to IP address 192.168.122.123.
By choosing Statistic VOIP Clicking one of the streams in the new window and Graph. At the graph clicking on any SIP messages will take the mouse to that packet.
The delay/jitter all relate to the sending station and not from source to destination all the way. To do that we need to buffer packets at the source and at the destination.
WIRESHARK Basics Moshe Haviv January 2010 [email_address]