bunnylat.blogg.se - Wireshark ip address filter command

Wireshark ip address filter command how to#

Notice that this is not the default SIP port which is 5060.

The yellow highlighted area also indicates the port being used this is the number that comes after the colon “:”.

The invite also indicates the number that was called.

The yellow highlighted area shows that the first packet is a SIP INVITE packet.

SIP does not carry voice, but carries only the control information to set up, control and tear down calls. This is typical, as the vast majority of exchanged packets are those whose payload is the voice itself, and those use Real-time Transfer Protocol (RTP).

Out of the over 10000 packets captured, only 20 packets match our criteria.

This will result in showing all packets that are using the SIP protocol and have a source or destination IP address of 192.168.1.61 and X.Y.Z.23. The filter that will be used is specifically: These addresses are 192.168.1.61 and X.Y.Z.23 respectively. In the display filter field, we’ll use the SIP keyword in conjunction with the IP addresses of the X-lite computer and the SIP server involved in the conversation.

Wireshark ip address filter command how to#

In this exercise, to perform Wireshark SIP analysis, we will be looking at how to isolate the SIP control packets of the conversation. We will also look into specific types of packets to glean important information from each. In order to view portions of the captured traffic, we’ll take a look at various filtering commands that we can apply in order to isolate the packets we want. We’ll have to find a way to filter those out in order to view only the packets pertaining to the call in question. However, during the time period of the capture, additional traffic was recorded that we don’t want to view including some ICMP, ARP and TLS packets, each of which corresponds to various other applications and utilities running on the computer. The “interesting” traffic that exists in this capture is a telephone call made from extension 3XX to extension 4XX.

The capture was performed on the computer running the X-lite software. pcap file that we will be using for this example has the following characteristics: Sample Wireshark SIP Analysis Capture Characteristics The extension numbers have been similarly obscured. The 192.168.1.61 address has not been obscured since this is a private IP address and cannot be reached from the Internet. Because this capture is from a real VoIP production network, for obvious reasons, the first three octets of the IP addresses have been obscured in the screenshots, and therefore, will be referred to as X.Y.Z.23 and X.Y.Z.183 respectively in the text. Note that the addresses you see are taken from the Wireshark capture that is used in this article.

The following diagram depicts the scenario. Details of the intervening network infrastructure are not included here, such as the NAT router behind which the X-lite client is operating as these are irrelevant to the exercise. There is a second phone that also registers on the same SIP server which has an extension of 4XX and an IP address of X.Y.Z.183. This device registers with a SIP server somewhere on the Internet with an IP address of X.Y.Z.23. The scenario for Wireshark SIP analysis that will be examined is one where there is an X -lite SIP client, now known as Bria Solo Free, configured on a computer with an extension of 3XX and an IP address of 192.168.1.61.