the media analysis part, which you want to do is in the step 2.
but then, the first step helps you in accumulating all the sip related data into one file
so ur script may look something like (assuming that you are in a directory which contains many pcap traces)
list = `ls *.pcap`
j=1;
for i in $list
do
tshark -r $i port 5060 -w /tmp/sip-$j.pcap
j=$[$j + 1]
done
///merge all the captues into a single capture file using editcap and delete redundant files
editcap -w final-sip.pcap /tmp/sip*.pcap
rm /tmp/sip*.pcap
///use the second filter to filter out all the media ports which would have been exchanged using SDP
mports=`tshark -r final-sip.pcap sdp.media.port -V | grep -w "Media Port"` | awk -F ":" '{print $2}'`
///and now for each port in $mports go back to step 1 and filter out all the traffic going to those ports and then use for later analysis
If someone on the list know a direct way of doing it, please let know
Thanks,
Sandeep Nitta
Sandeep
So I have to capture all the packets then save the file, then apply the signaling filter ( tshark -i x port 5060 -w <name of pcap that you want to analyze>), then write a script to save this data. Then apply another filter to get the SDP information on the same file,( tshark -r sdp.media.port -V | grep -w "Media Port) then write this to a file.
Is that the correct sequency of events required to do this?
Is there a way to cut own the amount of steps? Can I apply both filters at the same time?
Terry Martin
TimeData Corporation
VP of Network Operation
work: 212-644-1600 X3
Cell: 503-318-8909
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of sandeep nitta
Sent: Thursday, August 28, 2008 11:00 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Question
Terry, that again depends on what Voip protocol you are analyzing.
For instance in SIP, media information is exchanged commonly over SDP (Session Description Protocol), which carries the port information over which the media is to be exchanged.
you can use sdp.media.port switch in conjunction with -V to see what all ports are being used for Media Transfer.
something like
tshark -r <pcap you want to read> sdp.media.port -V | grep -w "Media Port" (I dont know a better way to get the media ports)
You can use a small script to store these ports and supply the same to tshark to automate the process.
--
Sandeep Nitta
On Fri, Aug 29, 2008 at 12:17 AM, Terry Martin <tmartin@xxxxxxxxxxxxxxxx> wrote:
Thanks that is a good start
This gives me the signaling information, which I want. I also want the information over the media which is usually on another port? Is there a way to indentify that and collect that?
That is why I was trying to find a way to automate what is done in wireshark, where it will analyse a VoIP call. I want to see if I can do that in Tshark. Is that possible?
Terry Martin
TimeData Corporation
VP of Network Operation
work: 212-644-1600 X3
Cell: 503-318-8909
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of sandeep nitta
Sent: Thursday, August 28, 2008 10:51 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Question
You need to identify which Voip protocols are being used in your Voip Traffic.
Ex: SIP commonly uses port 5060 for UDP and 5061 for TCP
Similarily, once you identify which protocol is being used in your network and on which port it traverses, you are ready to go ahead
Say, all your traffic goes on port 5060 and on "x" interface,
you can use the following filter
tshark -i x port 5060 -w <name of pcap that you want to analyze"
you can look at the man page of tshark and what functionality the -z switch provides to further analyze the captued trace file.
--
Sandeep Nitta
On Thu, Aug 28, 2008 at 9:15 PM, Terry Martin <tmartin@xxxxxxxxxxxxxxxx> wrote:
I am new to the list but I am trying to understand how to collect VoIP traffic using Tshark and generate similar reports to what you can get when you use the VoIP analysis in wireshark? Can any one point me the right direction to obtain that type of data? How to setup the filters
Thanks
Terry Martin
TimeData Corporation
VP of Network Operation
work: 212-644-1600 X3
Cell: 503-318-8909
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users
- References:
- Re: [Wireshark-users] Question
- From: Terry Martin
- Re: [Wireshark-users] Question
- Prev by Date: [Wireshark-users] using Tshark to get Wireshark analysis reports
- Next by Date: Re: [Wireshark-users] Problem running Wireshark on Mac OS X Leopard 10.5.2
- Previous by thread: Re: [Wireshark-users] Question
- Next by thread: [Wireshark-users] question
- Index(es):