Wireshark-users: Re: [Wireshark-users] Question
From: "sandeep nitta" <sandeep.nitta@xxxxxxxxx>
Date: Thu, 4 Sep 2008 22:48:30 +0530
The first step is not that important since it only helps you accumulate all the sip related data.
the media analysis part, which you want to do is in the step 2.
but then, the first step helps you in accumulating all the sip related data into one file

so ur script may look something like (assuming that you are in a directory which contains many pcap traces)

list = `ls *.pcap`
j=1;
for i in $list
do
tshark -r $i port 5060 -w /tmp/sip-$j.pcap
j=$[$j + 1]
done

///merge all the captues into a single capture file using editcap and delete redundant files

editcap -w final-sip.pcap /tmp/sip*.pcap
rm /tmp/sip*.pcap  

///use the second filter to filter out all the media ports which would have been exchanged using SDP

mports=`tshark -r final-sip.pcap sdp.media.port -V | grep -w "Media Port"`  | awk -F ":" '{print $2}'`

///and now for each port in $mports go back to step 1 and filter out all the traffic going to those ports and then use for later analysis



If someone on the list know a direct way of doing it, please let know

Thanks,
Sandeep Nitta

On Thu, Sep 4, 2008 at 9:25 PM, Terry Martin <tmartin@xxxxxxxxxxxxxxxx> wrote:

Sandeep

 

So I have to capture all the packets then save the file, then apply the signaling filter ( tshark -i x port 5060 -w <name of pcap that you want to analyze>), then write a script to save this data.  Then apply another filter to get the SDP information on the same file,( tshark -r sdp.media.port -V | grep -w "Media Port) then write this to a file.

 

Is that the correct sequency of events required to do this?

 

Is there a way to cut own the amount of steps? Can I apply both filters at the same time?

 

Terry Martin

TimeData Corporation

VP of Network Operation

work:     212-644-1600 X3

Cell:      503-318-8909

 


From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of sandeep nitta
Sent: Thursday, August 28, 2008 11:00 PM


To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Question

 

Terry, that again depends on what Voip protocol you are analyzing.

 

For instance in SIP, media information is exchanged commonly over SDP (Session Description Protocol), which carries the port information over which the media is to be exchanged.

you can use sdp.media.port switch in conjunction with -V to see what all ports are being used for Media Transfer.

 

something like

 

tshark -r <pcap you want to read> sdp.media.port -V | grep -w "Media Port" (I dont know a better way to get the media ports)

 

You can use a small script to store these ports and supply the same to tshark to automate the process.

 

--

Sandeep Nitta

 


 

On Fri, Aug 29, 2008 at 12:17 AM, Terry Martin <tmartin@xxxxxxxxxxxxxxxx> wrote:

Thanks that is a good start

 

This gives me the signaling information, which I want.  I also want the information over the media which is usually on another port?  Is there a way to indentify that and collect that?

 

That is why I was trying to find a way to automate what is done in wireshark, where it will analyse a VoIP call.  I want to see if I can do that in Tshark.  Is that possible?

 

Terry Martin

TimeData Corporation

VP of Network Operation

work:     212-644-1600 X3

Cell:      503-318-8909

 


From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of sandeep nitta
Sent: Thursday, August 28, 2008 10:51 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Question

 

You need to identify which Voip protocols are being used in your Voip Traffic.

Ex: SIP commonly uses port 5060 for UDP and 5061 for TCP

Similarily, once you identify which protocol is being used in your network and on which port it traverses, you are ready to go ahead

 

Say, all your traffic goes on port 5060 and on "x" interface,

you can use the following filter

 

tshark -i x port 5060 -w <name of pcap that you want to analyze"

 

you can look at the man page of tshark and what functionality the -z switch provides to further analyze the captued trace file.

 

--

Sandeep Nitta

 



 

On Thu, Aug 28, 2008 at 9:15 PM, Terry Martin <tmartin@xxxxxxxxxxxxxxxx> wrote:

I am new to the list but I am trying to understand how to collect VoIP traffic using Tshark and generate similar reports to what you can get when you use the VoIP analysis in wireshark?  Can any one point me the right direction to obtain that type of data?  How to setup the filters

 

Thanks

 

Terry Martin

TimeData Corporation

VP of Network Operation

work:     212-644-1600 X3

Cell:      503-318-8909

 


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users

 


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users

 


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users