Wireshark

Packet Capturing
with Wireshark

Packet Capturing with Wireshark

Michael Luo
htluo@cisco.com

© 2006 Cisco Systems, Inc. All rights reserved. 1

Wireshark

 www.wireshark.org
 Used to be called “Ethereal”
 Freeware / Open Source
 Multi-platform: x86, x64, Mac OS, Linux
 Has a “portable” version (for USB drive)
 Depends on WinPcap (www.winPcap.org)
– A Windows packet capture library
– Wireshark won’t work if WinPcap was not installed
(properly)
– WinPcap is included in Wireshark installation package
and will be installed by default
 The most popular open source sniffer


Interface to Capture

 If you have multiple interfaces (network adapters), make
sure you captured on the right interface
– Wired LAN vs. Wireless LAN
– Soft VPN adapter vs. physical interface
 You may list all interfaces from
– Menu “Capture > Interfaces”
– Toolbar “List the available interfaces” (1st icon)
 “Option” button to set capture options, such as capture
filter
 “Detail” button to view interface details, such as MAC
address
 “Start” button is rarely used.  Because we can start
the capture from within the “Option” window.

Filters

 Capture Filter
– Capture only interested packets
– Use carefully because you could accidentally block
important packets. If not sure, don’t use any capture
filter
 Display Filter
– Display only interested packets
– It’s safe to use because the original data was intact.
You may clear the filter later to view all data.
 The syntax is different between capture and display filter


Capture Filter

 Traffic from/to a specific IP address
– host 192.168.1.100
 Traffic from/to multiple IP addresses
– host 192.168.1.100 or 192.168.1.101
 HTTP traffic
– port 80
 non-HTTP traffic
– not port 80
 non-HTTP and non-SMTP traffic from/to www.cisco.com
– not port 80 and not port 25 and host
www.cisco.com
 More details: http://wiki.wireshark.org/CaptureFilters


Capture Filter cont.

 Capture filter is usually used to block unwanted packets
 For example, if you are doing packet capture in a remote
desktop (RDP) session, you probably don’t want the
RDP packets.
– not tcp port 3389
 If you are doing packet capture in a Webex session,
there’s no easy way to block the Webex packets
– You cannot simply block HTTP packets. If the
application you’re troubleshooting uses HTTP protocol
(such as AXL, SOAP), you’ll miss important
information
– You may do a “sample capture” and find out the IP
address of the Webex host. Then filter out that IP.


Capture Options – short-term capture

 If you’re capturing small amount of data, Wireshark can
keep the data in memory before you save it. The size of
the memory is defined by “buffer size”.
 In another word, if the buffer size was set to 1 megabyte,
Wireshark will only keep the last 1M data in the memory.


Capture Options – long-term capture

 If you’re expecting huge amount of data, you should use
“Capture File(s)” option.
 It’s recommended to use multiple small files instead of
one single big file for performance consideration
 “Ring buffer” is the option to reuse oldest files (wrap)


Location, Location, Location

PSTN
CUCM7 Phone B

V

Voice GW

Phone A
PC A PC B


Location, Location, Location

 Usually, a sniffer can only capture the traffic from/to the
workstation it’s running on, with the exception of
– Hub (vs. switch)
– SPAN / RSPAN (port mirroring)
– Remote capture agent/daemon
 Other capture locations
– VOS (Cisco Voice Appliance)
– IOS EPC (IOS Router / Voice Gateway)


On-box vs. Off-box
 On-box capture
– Sniffer is running on the monitored box
– Pro: No extra equipment
– Pro: No configuration change on LAN switch
– Con: Operation needs to be performed on the box
 Off-box capture
– Sniffer is running outside the monitored box
– Pro: Less impact on the box user (e.g. PC user)
– Cons: Extra equipments
– Cons: Configuration change on LAN switch


PC: On-box

PSTN
CUCM7 Phone B

V

Voice GW

Phone A
PC A PC B

Object: PC A


PC: Off-box SPAN

PSTN
CUCM7 Phone B
SPAN

V

Voice GW

Extra PC to run Wireshark
Phone A
PC A PC B

Configuration required on LAN switch Object: PC A
No Configuration required on PC A


PC: Off-box Remote Capture

PSTN
CUCM7 Phone B

V

Voice GW

Phone A
PC A PC B

Configuration required on PC A Object: PC A
No Configuration required on Switch


CUCM: On-box VOS

VOS
PSTN
CUCM7 Phone B

V

Voice GW

Phone A
PC A PC B

Limitation on capture size (100,000 packets) Object: CUCM


CUCM: Off-box SPAN

PSTN
CUCM7 Phone B
SPAN

V

Voice GW


Phone A
PC A PC B

Configuration required on LAN switch Object: CUCM


IP Phone: Off-box SPAN on Switch

PSTN
CUCM7 Phone B
SPAN

V

Voice GW


Phone A
PC A PC B

Configuration required on LAN switch Object: Phone A


IP Phone: Off-box SPAN on Phone

PSTN
CUCM7 Phone B

V

Voice GW

Phone A
PC A PC B

Configuration required on Phone (CUCM) Object: Phone A
No Configuration required on Switch


IP Phone: Options for Phone B?

PSTN
CUCM7 Phone B
SPAN

V

Voice GW


Phone A
PC A PC B

Configuration required on LAN switch Object: Phone B


Voice GW: On-box EPC

PSTN
CUCM7 Phone B

EPC
V

Voice GW

Phone A
PC A PC B

Limitation on capture size Object: Voice GW


Voice GW: Off-box SPAN

PSTN
CUCM7 Phone B

SPAN
V

Voice GW


Phone A
PC A PC B

Configuration required on LAN switch Object: Voice GW


SPAN / RSPAN on Switch
 http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3750
 monitor session 1 source interface fa0/1
 monitor session 1 destination interface fa0/12

SPAN

1 12


SPAN on Phone

Network PC

Wireshark Remote Capture

A Mirrored

B
 “Remote Pcap Daemon” is running on computer A
 Wireshark is running on computer B.
 Wireshark captures a “remote interface” on computer A


 On remote computer start the Remote
PCAP Daemon (rpcapd)
 -n means “no authentication”
 Can be run as a service

 On local (Wireshark) computer, go
to “Capture > Options”
 Choose “Remote” from “Interface”
 Type in IP address of the remote
computer
 Port: leave blank to use default
(2002)
 Authentication: choose “Null
authentication” if rpcapd started
with -n


 Once Wireshark connects to the remote computer, it’ll retrieve
the interface list on remote computer
 Choose the interface you want to capture
 Caveat: rpcapd port needs to be accessible (if there’s a firewall)
 More details:
http://www.winpcap.org/docs/docs_411/html/group__remote.html


VOS (Voice Appliance)
 utils network capture file myfile count
100000 size all
– Capture up to 100000 packets (can be interrupted by
Ctrl-C). Save the capture file as “myfile.cap”
100000 size all host all 192.168.1.100
– Capture packets from/to IP address 192.168.1.100
100000 size all port 389
– Capture LDAP traffic (port number 389)
 “size all” should always be specified. Otherwise, it’ll
only get the first 128 bytes of each packet


Get the capture file from VOS
 file list activelog platform/cli detail date
– List all captured file by the order of the date/time
 file get activelog platform/cli/myfile.cap
– Get “myfile.cap” by CLI. You’ll need a SFTP server
 Use RTMT to get “Packet Capture Logs”
 If the file name you use already exists, the old file name will
be renamed.
– e.g. “myfile.cap” will be renamed to “myfile_1.cap”. The
latest capture will be “myfile.cap”


Get the capture file from VOS


EPC – Embedded Packet Capture

 https://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_p


Display Filter

 Display LDAP traffic only
– ldap
 Display HTTP traffic only
– http
 Display traffic from 192.168.1.100
– ip.src==192.168.1.100
 Display traffic to 192.168.1.100
– ip.dst==192.168.1.100
 Display traffic from/to 192.168.1.100
– ip.addr==192.168.1.100
 More details: http://wiki.wireshark.org/DisplayFilters


Time Display Format

 Wireshark can display timestamp in different formats
 Usually, we choose “Date and Time of Day”. This will
give us “human readable” time format and can be cross
referenced with timestamps in logs/traces.


Time Display Catches
 Wireshark actually stores the timestamp in UTC format
 When you choose “Date and Time of Day” format,
Wireshark will translate the time based on the timezone
configured in local computer, which means
– If the capture was done from a computer in PST
(GMT-8) and you’re viewing it on a computer in CST
(GMT-6), you’ll see “two-hour offset” in packet
timestamps.
– If you’re discussing the packet capture with another
engineer in a different timezone, you’ll run into the
confusion like this:
 “Can you see that packet at 15:23:01?”
 “What are you talking about? There’s no packet
with that timestamp. I do see one at 13:23:01
though”


Decrypt SSL Traffic

 Lots of conversations are based on SSL/TLS
– Client logon (SOAP over HTTPS)
– LDAP over SSL (LDAPS)
 It’d be helpful if we could decrypt the SSL packets and
see the content


Decrypt SSL Traffic

 SSL traffic is encrypted with the private key of the server
 We need the private key from the server to decrypt data
– Depending on different server/application type, the
location of the private key would be different


Private Key on Cisco UC Appliance

 /usr/local/platform/.security/tomcat/keys/tomcat_priv.pem


Private Key – What It Looks Like?


Private Key – How to use it?

 Go to “Wireshark > Edit > Preferences > Protocols > SSL”
 We put the private key in our laptop C:tomcat_priv.pem
 14.128.60.117 is the IP address of the server
 443 is the port number for HTTPS
 http is the protocol we want to decode to
 “SSL debug file” is optional (for debugging purpose)


Decrypted Packets


Caveat
 Wireshark needs to capture the TLS handshake to
decrypt packets
 Handshake includes “Client Hello”, “Server Hello,
Certificate”, “Key Exchange”, “Cipher Spec”, etc.
 See packet #6 to packet #11 below


Caveat cont.
 If you have other TLS application running (e.g. RTMT), it
might confuse Wireshark (because RTMT also do TLS
handshake with the server)
 Exit RTMT (and other TLS application) while doing
packet capture


Example: Audio
 Audio issues
– One-way / no-way audio
– Audio quality


Analyze Audio Packets
 Audio issues are usually caused by network (packet loss,
jitter)
 You may use “Telephony > RTP” menu to see statistics
 You may also extract the audio stream and play it with a
media player (might be limited to G.711 only)


Analyze Audio Packets


Voice Quality - Duplicated Packets


Voice Quality – Packet Delay


Example: TFTP
 Phone Registration
 Customized background and ring tone for phone


Example: Skinny Protocol
 Skinny Messages (SCCP)


Internal Build to Decode SCCP v.17

http://wwwin-eng.cisco.com/Eng/VTG/IPCBU/CUCM/CallMana

Credit: Wes Sisk


Enhancements
 Adds decoding of the following messages according to SCCP V17
specification
– ButtonTemplateReq
– UpdateCapabilitiesV3
– StopTone
– DisplayPriNotifyV2
– DisplayPromptStatusV2
– FeatureStatV2
– LineStatV2
– ServiceURLStatV2
– SpeedDialStatV2
– CallInfoV2
– StartMediaTransmissionAck
– StartMultiMediaTransmissionAck
– CallHistoryInfo
– StationAccessoryInfo


Example: SIP Call
 VoIP SIP call
 SIMPLE
– Session Initiation Protocol for Instant Messaging and
Presence Leveraging Extensions
 Wireshark Integrated SIP analyzer
 SIP Workbench Analyzer
– www.sipworkbench.com


Simple Call Flow


Complex Call Flow

UCM 1 UCM 2

ICM1
PSTN V CUP1 CVP1

VGW

CUP2 CVP2 ICM2

Inbound call cannot complete (busy tone)
when SIP service on CUP1 was stopped.

Complex Call Flow
WW-CUCM

UCM 1 UCM 2

WW-MS

ICM1
PSTN V CUP1 CVP1

VGW

CUP2 CVP2 ICM2

WW-UCIS WW-CVP WW-IPCC


Complex Call Flow

VGW CUP2 CVP2 CUP1


Example: NTP
 NTP issue
– Stratum
 Default stratum for VOS is 10
 VOS won’t sync to NTP source with stratum 10 or
higher
– Dispersion
 Accuracy of the clock
 VOS won’t trust a clock with dispersion 1 or greater
 Windows dispersion is 10 if CMOS clock is used


Verify NTP Communication from CLI

NTP port


Verify Stratum and Dispersion


Myths and Facts
 Myths
– You cannot use Windows as NTP server for Cisco
Appliance (CUCM, CER, etc.). You'll have to use Cisco
switches or routers. (CSCte17541)
– Cisco CUCM only support NTP V4 (version 4). Since
Windows NTP is V3 (version 3), it won't work with
CUCM. (CSCsw17043).
 Facts
– Cisco CUCM (and other VOS-based appliance) can use
Windows as NTP source. Registry configuration
required. (dispersion)
– Cisco CUCM (and other VOS-based appliance)
supports NTP v3 and v4.


Example: LDAP Integration
 Don’t confuse LDAP with Active Directory
 Active Directory, Domino Directory, Novell Directory, etc.
are proprietary directory solution. They have their own
ways for communication and data storage
 LDAP (Lightweight Directory Access Protocol) is IETF
standard (RFC 4510)
 Proprietary directory and LDAP can co-exist in parallel
 Successful action (e.g. search, logon) on proprietary
directory does NOT guarantee success on LDAP


LDAP Authentication


LDAP Search


DSquery & LDP


Example: HTTP-based Apps
 Many applications use HTTP(s) protocol
– CUPC (logon, self-defined state)
– AXL (data-sync between CUPS/UC/UCCX and and
CUCM)
– Phone Designer
– Phone Services (Directory, Extension Mobility, IPPM,
IPPA, etc.)
– CUPS (Exchange calendar integration)
 For security reason, it is usually encrypted with TLS/SSL


CUPC Logon


Example: Certificate Related
 SSL/TLS, Certificate issue
– LDAP over SSL (CUCM LDAP Integration)
– OWA over HTTPS (CUPS Calendar Integration)
– IMAP over SSL (Unity/Exchange)
 Most certificate issues are caused by misconception
– Trust is based on CA, not end-entity
– CA cert. needs to be uploaded to UC box as trust cert.
Not end-entity cert.
 Other certificate issues
– Expired cert.


End-entity cert vs. CA cert

CA

End Entity


How Does VOS Trust a Certificate?

This is the end-entity

This is the CA (issuer)


How to correlate certificates on VOS


Certificate Issues - Expired

MSFT KB932834


Certificate Issues – Who’s Whom?


Wireshark

More Related Content

What's hot

Viewers also liked

Similar to Wireshark

More from ashiesh0007

Wireshark