Tuesday, January 18, 2011

VOIP Ethreal Live CallTraces

Trace VOIP live calls using Ethreal.

Note:- the command is case sensitive.

  • tethereal -R 'sip contains "9199999999"'
The output would be like thi.
Capturing on e1000g0
  3.591249 220.225.63.37 -> 292.168.15.16 SIP/SDP Request: INVITE sip:9199999999@292.168.15.16, with session description
  3.593426 292.168.15.16 -> 220.225.63.37 SIP Status: 100 Trying
  3.598371 292.168.15.16 -> 208.185.196.165 SIP/SDP Request: INVITE sip:38456819199999999@208.185.196.165, with session description
  3.599654 208.185.196.165 -> 292.168.15.16 SIP Status: 100 Trying
  8.066689 208.185.196.165 -> 292.168.15.16 SIP/SDP Status: 183 Session Progress, with session description
  8.071264 292.168.15.16 -> 220.225.63.37 SIP/SDP Status: 183 Session Progress, with session description
  9.640668 220.225.63.37 -> 292.168.15.16 SIP Request: CANCEL sip:9199999999@292.168.15.16
  9.643045 292.168.15.16 -> 220.225.63.37 SIP Status: 200 OK
  9.644570 292.168.15.16 -> 220.225.63.37 SIP Status: 487 Request Terminated
  9.649396 292.168.15.16 -> 208.185.196.165 SIP Request: CANCEL sip:38456819199999999@208.185.196.165
  9.651601 208.185.196.165 -> 292.168.15.16 SIP Status: 200 OK
  9.652366 208.185.196.165 -> 292.168.15.16 SIP Status: 487 transaction terminated
  9.658478 292.168.15.16 -> 208.185.196.165 SIP Request: ACK sip:38456819199999999@208.185.196.165
  9.890679 220.225.63.37 -> 292.168.15.16 SIP Request: ACK sip:9199999999@292.168.15.16
  • tethereal -R 'sip.To contains "9199999999"'
The output would be
Capturing on e1000g0
  3.706289 220.225.63.37 -> 292.168.15.16 SIP/SDP Request: INVITE sip:9199999999@292.168.15.16, with session description
  3.709908 292.168.15.16 -> 220.225.63.37 SIP Status: 100 Trying
  3.716539 292.168.15.16 -> 208.185.196.165 SIP/SDP Request: INVITE sip:38456819199999999@208.185.196.165, with session description
  3.717916 208.185.196.165 -> 292.168.15.16 SIP Status: 100 Trying

  • The other SIP Parameters which you use are 
  1. sip.Alert-Info 
  2. sip.From 
  3. sip.Call-Info 
  4. sip.Contact
  5. sip.Call-ID
     
    For more fields visit.
     
    http://www.linux-tutorial.info/modules.php?name=ManPage&sec=1&manpage=tethereal 
     
     

Tuesday, January 11, 2011

How to see/analyze a very large in Wireshark

A very large file can be analyzed by breaking it into smaller parts and then analyzing the smaller files.

To do so follow the below steps.

1. C:\Program Files\Wireshark>capinfos.exe largefile.pcap

this will display details about this file like the total number of packets. and accordingly  you can decide how many packets you want in a particular file [ so if the old file had 200000 packets and you want new files to be of 50000 Packets then we will get 4 new smaller files created.




2. Now just create new smaller files from the old large file by using the command
C:\Program Files\Wireshark>editcap.exe -c 50000 oldfile.pcap new_smallfile

It will create new 4 files of around 50000 packets each and you can then open those files with Wireshark.



That's it and in case you need to join those files then we can use the MERGE option of Wireshark.