Wireshark-users: Re: [Wireshark-users] Sniffer for VoIP
From: miguel olivares varela <klica_sk8@xxxxxxxxxxx>
Date: Thu, 23 Oct 2008 04:49:57 -0700

 
Hi Nivaldo,
 
Could you share your script in Perl?
Thanks

> From: wireshark-users-request@xxxxxxxxxxxxx
> Subject: Wireshark-users Digest, Vol 29, Issue 38
> To: wireshark-users@xxxxxxxxxxxxx
> Date: Wed, 22 Oct 2008 23:55:49 -0700
>
> Send Wireshark-users mailing list submissions to
> wireshark-users@xxxxxxxxxxxxx
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://wireshark.org/mailman/listinfo/wireshark-users
> or, via email, send a message with subject or body 'help' to
> wireshark-users-request@xxxxxxxxxxxxx
>
> You can reach the person managing the list at
> wireshark-users-owner@xxxxxxxxxxxxx
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Wireshark-users digest..."
>
>
> Today's Topics:
>
> 1. Re: Sniffer for VoIP ( Nivaldo J?nior )
> 2. T.38 Malformed packet? (Cedric.Pillonel@xxxxxxxxxxxx)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 22 Oct 2008 16:04:48 -0300
> From: " Nivaldo J?nior " <nivaldomjunior@xxxxxxxxx>
> Subject: Re: [Wireshark-users] Sniffer for VoIP
> To: "Community support list for Wireshark"
> <wireshark-users@xxxxxxxxxxxxx>
> Message-ID:
> <d6d233560810221204w530d16cby249a5a039fdf94b@xxxxxxxxxxxxxx>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi,
>
> Ok thank you! I'm using rtpbreak and developed an perl script to
> generate the audios on demand. It's working.
>
>
>
> 2008/10/22 miguel olivares varela <klica_sk8@xxxxxxxxxxx>:
> >
> > You can use rtpbreak in works really nice but it's only for Linux, i'm not
> > sure than you can use thark in order to generate all the audios.
> >
> >
> >
> >> From: wireshark-users-request@xxxxxxxxxxxxx
> >> Subject: Wireshark-users Digest, Vol 29, Issue 34
> >> To: wireshark-users@xxxxxxxxxxxxx
> >> Date: Wed, 22 Oct 2008 05:37:31 -0700
> >>
> >> Send Wireshark-users mailing list submissions to
> >> wireshark-users@xxxxxxxxxxxxx
> >>
> >> To subscribe or unsubscribe via the World Wide Web, visit
> >> https://wireshark.org/mailman/listinfo/wireshark-users
> >> or, via email, send a message with subject or body 'help' to
> >> wireshark-users-request@xxxxxxxxxxxxx
> >>
> >> You can reach the person managing the list at
> >> wireshark-users-owner@xxxxxxxxxxxxx
> >>
> >> When replying, please edit your Subject line so it is more specific
> >> than "Re: Contents of Wireshark-users digest..."
> >>
> >>
> >> Today's Topics:
> >>
> >> 1. Re: Sniffer for VoIP (j.snelders@xxxxxxxxxx)
> >> 2. Re: Can Wireshark query the captured data? (j.snelders@xxxxxxxxxx)
> >> 3. Re: Wireshark-users Digest, Vol 29, Issue 33 ( ??? )
> >> 4. Leopard and AirPort, only my own packets (Marco De Vitis)
> >> 5. Re: Leopard and AirPort, only my own packets (Guy Harris)
> >> 6. Re: Leopard and AirPort, only my own packets (Marco De Vitis)
> >>
> >>
> >> ----------------------------------------------------------------------
> >>
> >> Message: 1
> >> Date: Tue, 21 Oct 2008 21:09:48 +0200
> >> From: j.snelders@xxxxxxxxxx
> >> Subject: Re: [Wireshark-users] Sniffer for VoIP
> >> To: wireshark-users@xxxxxxxxxxxxx
> >> Message-ID: <481B206B00090D17@xxxxxxxxxxxxxxxxxxxxxxxxxx>
> >> Content-Type: text/plain; charset="US-ASCII"
> >>
> >> Hi Nivaldo
> >>
> >> You can use Tshark, the command-line tool.
> >> Or take a look at message d.d. Date: Sun, 19 Oct 2008 10:09:46 +0200
> >> Wireshark-users: Re: [Wireshark-users] Running Wireshark as windows
> >> service
> >>
> >>
> >> Grtz
> >> Joan
> >>
> >> On Tue, 21 Oct 2008 10:15:45 -0300 Nivaldo J?nior wrote:
> >> > I need a sniffer for VoIP. I'm testing VoIPong but some calls are not
> >> > detected. I tested with wireshark and all calls are detected and i can
> >> > generate the waves, but i need a command line system to be running in
> >> > background and generating all audios.
> >> > I have some resources for this project, so if someone knows how to do
> >> > that, please contact me as soon as possible.
> >> > My MSN is junior@xxxxxxxxxxxxxx and my Skype is nivaldomjunior.
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> ------------------------------
> >>
> >> Message: 2
> >> Date: Tue, 21 Oct 2008 21:15:42 +0200
> >> From: j.snelders@xxxxxxxxxx
> >> Subject: Re: [Wireshark-users] Can Wireshark query the captured data?
> >> To: wireshark-users@xxxxxxxxxxxxx
> >> Message-ID: <481B206B00090D32@xxxxxxxxxxxxxxxxxxxxxxxxxx>
> >> Content-Type: text/plain; charset="US-ASCII"
> >>
> >> Hi Abdu,
> >>
> >> You'll find a lot of usefull information in the user guide:
> >> http://www.wireshark.org/docs/wsug_html/
> >>
> >> In a nutshell...
> >> Add a column to display the packete length(bytes)
> >> Edit - Preferences - User interface - Columns
> >> Select : New
> >> Properties:
> >> Title: change the title to Length
> >> Format: select Packete length(bytes)
> >> Apply - OK
> >>
> >>
> >> Use capture and/or display filters.
> >> http://wiki.wireshark.org/CaptureFilters
> >> http://wiki.wireshark.org/DisplayFilters
> >>
> >> You can use a capture filter to capture only http traffic
> >> Capture - Option - Capture filter
> >> select: Filter name: HTTP TCP port (80) Filter string: tcp port http
> >>
> >> You can use filters to capture traffic to/from specific host:
> >> capture filter:
> >> to/from: host 192.168.100.44
> >> to: dst host 192.168.100.44
> >> from: src host 192.168.100.44
> >>
> >> display filter:
> >> to/from : ip.addr == 192.168.100.44
> >> to : ip.dst == 192.168.100.44
> >> from : ip.src == 192.168.100.44
> >>
> >>
> >> While capturing you for instance can look at:
> >> Analyze - Expert Info Composite
> >> Statistics - Conversations
> >>
> >> In the "Conversations Window" you can right-click on a
> >> interesting conversation to apply a filter.
> >>
> >> Hope this helps
> >> Joan
> >>
> >>
> >> On Tue, 21 Oct 2008 00:03:21 +0000 abdu bukres wrote:
> >> > I have been using Wireshark in a simple usage looking at the data.
> >> >
> >> > Can Wireshark be used to query the data a bit like SQL, something like:
> >> > List the top 10 ip addresses which caused the most number
> >> > of hits or tcp traffic during the last 10 minutes?
> >> >
> >> > I don't know if Wireshark can capture number of bytes sent
> >> > out in http responses, so can it list which ip addresses are causing
> >> > a lot of outbound traffic?
> >> >
> >> > I would like to query the data captured by Wireshark and
> >> > query it like a database.
> >> >
> >> > Simple examples can get me going fast.
> >> >
> >> > If Wireshark can't do it, any ideas for other sniffers?
> >>
> >>
> >>
> >>
> >>
> >>
> >> ------------------------------
> >>
> >> Message: 3
> >> Date: Wed, 22 Oct 2008 08:59:32 +0800
> >> From: " ??? " <cduter@xxxxxx>
> >> Subject: Re: [Wireshark-users] Wireshark-users Digest, Vol 29, Issue
> >> 33
> >> To: wireshark-users@xxxxxxxxxxxxx
> >> Message-ID: <20081022010543.5B79C476BB@xxxxxxxxxxxxxxxxxx>
> >> Content-Type: text/plain; charset="gb2312"
> >>
> >> wireshark-users-request,???
> >>
> >> good idear! The Wireshark can capture the data and store it in the
> >> database,good ,good.But i think that the wrieshark can do it right now,i am
> >> writing a c program to analyze the pcap files ,it can get the detail data
> >> and store them in the databses ,which make i can find the top ip :)
> >>
> >>
> >>
> >> ???
> >> cduter@xxxxxx
> >> 2008-10-22
> >>
> >> ======= 2008-10-22 03:00 12:00:05 ???????: Wireshark-users Digest, Vol 29,
> >> Issue 33=======
> >>
> >> Send Wireshark-users mailing list submissions to
> >> wireshark-users@xxxxxxxxxxxxx
> >>
> >> To subscribe or unsubscribe via the World Wide Web, visit
> >> https://wireshark.org/mailman/listinfo/wireshark-users
> >> or, via email, send a message with subject or body 'help' to
> >> wireshark-users-request@xxxxxxxxxxxxx
> >>
> >> You can reach the person managing the list at
> >> wireshark-users-owner@xxxxxxxxxxxxx
> >>
> >> When replying, please edit your Subject line so it is more specific
> >> than "Re: Contents of Wireshark-users digest..."
> >>
> >>
> >> Today's Topics:
> >>
> >> 1. Re: Can Wireshark query the captured data? (Breno Jacinto)
> >> 2. Sniffer for VoIP ( Nivaldo J?nior )
> >>
> >>
> >> ----------------------------------------------------------------------
> >>
> >> Message: 1
> >> Date: Mon, 20 Oct 2008 21:30:36 -0300
> >> From: "Breno Jacinto"
> >> Subject: Re: [Wireshark-users] Can Wireshark query the captured data?
> >> To: "Community support list for Wireshark"
> >>
> >> Message-ID:
> >> <2ced936d0810201730o6f4b3c68off637e5fc0338456@xxxxxxxxxxxxxx>
> >> Content-Type: text/plain; charset=WINDOWS-1252
> >>
> >> Hello,
> >>
> >> I was just skimming through all the documentation available at
> >> http://www.wireshark.org/bibliography.html, and I think the
> >> video-article "Advanced I/O Graphing" may be of your interest. Take a
> >> look at http://novellevents.novell.com/t/2261821/56771533/6387/0/
> >>
> >> best regards,
> >>
> >> 2008/10/20 abdu bukres :
> >> >
> >> > I have been using Wireshark in a simple usage looking at the data.
> >> >
> >> > Can Wireshark be used to query the data a bit like SQL, something like:
> >> >
> >> > List the top 10 ip addresses which caused the most number of hits or tcp
> >> > traffic during the last 10 minutes?
> >> >
> >> > I don't know if Wireshark can capture number of bytes sent out in http
> >> > responses, so can it list which ip addresses are causing a lot of
> >> > outbound
> >> > traffic?
> >> >
> >> > I would like to query the data captured by Wireshark and query it like a
> >> > database.
> >> >
> >> > Simple examples can get me going fast.
> >> >
> >> > If Wireshark can't do it, any ideas for other sniffers?
> >> >
> >> > Thanks.
> >> >
> >> > Abdu
> >> >
> >> > ________________________________
> >> > When your life is on the go?take your life with you. Try Windows
> >> > Mobile(R)
> >> > today
> >> > _______________________________________________
> >> > Wireshark-users mailing list
> >> > Wireshark-users@xxxxxxxxxxxxx
> >> > https://wireshark.org/mailman/listinfo/wireshark-users
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> --
> >> :: Breno Jacinto ::
> >> :: breno - at - gprt.ufpe.br ::
> >> :: FingerPrint ::
> >> 2F15 8A61 F566 E442 8581
> >> E3C0 EFF4 E202 74B7 7484
> >> :: Persistir no dif?cil ? a ?nica maneira de torn?-lo f?cil algum dia. ::
> >>
> >>
> >> ------------------------------
> >>
> >> Message: 2
> >> Date: Tue, 21 Oct 2008 10:15:45 -0300
> >> From: " Nivaldo J?nior "
> >> Subject: [Wireshark-users] Sniffer for VoIP
> >> To: wireshark-users@xxxxxxxxxxxxx
> >> Message-ID:
> >>
> >> Content-Type: text/plain; charset=ISO-8859-1
> >>
> >> Hi all,
> >>
> >> I need a sniffer for VoIP. I'm testing VoIPong but some calls are not
> >> detected. I tested with wireshark and all calls are detected and i can
> >> generate the waves, but i need a command line system to be running in
> >> background and generating all audios.
> >> I have some resources for this project, so if someone knows how to do
> >> that, please contact me as soon as possible.
> >> My MSN is junior@xxxxxxxxxxxxxx and my Skype is nivaldomjunior.
> >>
> >> Regards,
> >>
> >> --
> >> Nivaldo J?nior
> >> nivaldomjunior@xxxxxxxxx
> >>
> >>
> >> ------------------------------
> >>
> >> _______________________________________________
> >> Wireshark-users mailing list
> >> Wireshark-users@xxxxxxxxxxxxx
> >> https://wireshark.org/mailman/listinfo/wireshark-users
> >>
> >>
> >> End of Wireshark-users Digest, Vol 29, Issue 33
> >> ***********************************************
> >>
> >> .
> >>
> >>
> >> = = = = = = = = = = = = = = = = = = = =
> >> -------------- next part --------------
> >> An HTML attachment was scrubbed...
> >> URL:
> >> http://www.wireshark.org/lists/wireshark-users/attachments/20081022/201a2ad4/attachment.htm
> >>
> >> ------------------------------
> >>
> >> Message: 4
> >> Date: Wed, 22 Oct 2008 00:52:36 +0200
> >> From: Marco De Vitis <starless@xxxxxxx>
> >> Subject: [Wireshark-users] Leopard and AirPort, only my own packets
> >> To: wireshark-users@xxxxxxxxxxxxx
> >> Message-ID: <gdlmfk$nht$1@xxxxxxxxxxxxx>
> >> Content-Type: text/plain; charset=ISO-8859-15; format=flowed
> >>
> >> Hi,
> >> I'm doing some tests on my own wifi network, which is protected using
> >> WPA Personal.
> >>
> >> I have a Windows notebook and a MacBook running OSX 10.5.5. I want to
> >> try running Wireshark on the MacBook for sniffing traffic happening from
> >> the Win machine.
> >>
> >> I connect both machines to the network, then start Wireshark on the Mac
> >> (the binary download for Intel machines on the official Wireshark web
> >> site, installed as the docs recommend), start capturing in promiscuous
> >> mode, and then try doing something on the Win machine, like browsing the
> >> web or downloading mail, but this activity is not logged: I can only see
> >> traffic from the MacBook itself.
> >>
> >> I've read related docs in the wiki a couple of times, and I'm a bit
> >> confused now. As far as I understand, it should all work fine with my
> >> setup. Am I wrong? Am I missing anything?
> >>
> >> Thanks.
> >>
> >> --
> >> Ciao,
> >> Marco.
> >>
> >>
> >>
> >> ------------------------------
> >>
> >> Message: 5
> >> Date: Wed, 22 Oct 2008 01:54:21 -0700
> >> From: Guy Harris <guy@xxxxxxxxxxxx>
> >> Subject: Re: [Wireshark-users] Leopard and AirPort, only my own
> >> packets
> >> To: Community support list for Wireshark
> >> <wireshark-users@xxxxxxxxxxxxx>
> >> Message-ID: <E3F38D3F-57B3-4457-A9DA-029B25A9842D@xxxxxxxxxxxx>
> >> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
> >>
> >>
> >> On Oct 21, 2008, at 3:52 PM, Marco De Vitis wrote:
> >>
> >> > I'm doing some tests on my own wifi network, which is protected using
> >> > WPA Personal.
> >> >
> >> > I have a Windows notebook and a MacBook running OSX 10.5.5. I want to
> >> > try running Wireshark on the MacBook for sniffing traffic happening
> >> > from
> >> > the Win machine.
> >>
> >> It might be that the AirPort adapter on your MacBook will only capture
> >> traffic from other machines on your network when in monitor mode (on
> >> Leopard, to go into monitor mode you currently have to select a "link-
> >> layer header type" other than Ethernet), even in promiscuous mode. I
> >> think some (perhaps all) wireless adapters will not actually work
> >> promiscuously on protected networks as they can't decrypt traffic to
> >> or from other machines; they'll capture the traffic in monitor mode,
> >> but, in order to see that traffic decrypted, you'll need to provide
> >> the password for the network *and* capture the initial setup:
> >>
> >> http://wiki.wireshark.org/HowToDecrypt802.11
> >>
> >>
> >> ------------------------------
> >>
> >> Message: 6
> >> Date: Wed, 22 Oct 2008 14:37:15 +0200
> >> From: Marco De Vitis <starless@xxxxxxx>
> >> Subject: Re: [Wireshark-users] Leopard and AirPort, only my own
> >> packets
> >> To: wireshark-users@xxxxxxxxxxxxx
> >> Message-ID: <gdn6pr$sng$1@xxxxxxxxxxxxx>
> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> >>
> >> Il 22-10-2008 10:54, Guy Harris ha scritto:
> >>
> >> > Leopard, to go into monitor mode you currently have to select a "link-
> >> > layer header type" other than Ethernet), even in promiscuous mode. I
> >>
> >> Indeed, I tried the other two link-layer header types available, "IEEE
> >> 802.11 Wireless LAN" and "IEEE 802.11 plus AVS WLAN header", but I
> >> couldn't interpret the results: it appeared that some data packets were
> >> captured, but the seemed to be encrypted or something.
> >>
> >> > or from other machines; they'll capture the traffic in monitor mode,
> >> > but, in order to see that traffic decrypted, you'll need to provide
> >> > the password for the network *and* capture the initial setup:
> >> >
> >> > http://wiki.wireshark.org/HowToDecrypt802.11
> >>
> >> Ah, thanks, I missed this. I actually wondered if the captured traffic
> >> was encrypted or not (see above), but didn't see mentions of this aspect
> >> in the wiki (http://wiki.wireshark.org/CaptureSetup/WLAN).
> >> I'll try when I get back home.
> >>
> >> --
> >> Ciao,
> >> Marco.
> >>
> >>
> >>
> >> ------------------------------
> >>
> >> _______________________________________________
> >> Wireshark-users mailing list
> >> Wireshark-users@xxxxxxxxxxxxx
> >> https://wireshark.org/mailman/listinfo/wireshark-users
> >>
> >>
> >> End of Wireshark-users Digest, Vol 29, Issue 34
> >> ***********************************************
> >
> >
> > ________________________________
> > Discover the new Windows Vista Learn more!
> > _______________________________________________
> > Wireshark-users mailing list
> > Wireshark-users@xxxxxxxxxxxxx
> > https://wireshark.org/mailman/listinfo/wireshark-users
> >
> >
>
>
>
> --
> Nivaldo J?nior
> nivaldomjunior@xxxxxxxxx
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 23 Oct 2008 08:55:07 +0200
> From: <Cedric.Pillonel@xxxxxxxxxxxx>
> Subject: [Wireshark-users] T.38 Malformed packet?
> To: <wireshark-users@xxxxxxxxxxxxx>
> Message-ID:
> <B0EAD8480967BB4B82EB443A6006EE6A43B7FD53@xxxxxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi,
>
> Wireshark tells me that some T.38 packets are malformed and I don't see why (perhaps a bug?).
> Have a look at the attached trace, for example frames 483, 485, 507, 508, 509.
>
> I have Wireshark 1.0.3 running on RedHat Linux 4, libpcap 0.8.3. I have the same problem on Windows XP with Wireshark1.0.2, WinPCap 4.0.2.
>
> I have tried to decode such a packet myself but I am not a PER expert:
>
> Frame 1985 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: Netopia_4b:d8:6c (00:0f:cc:4b:d8:6c), Dst: NmsCommu_32:2a:70 (00:20:22:32:2a:70) Internet Protocol, Src: 196-130-186-195.bluewin.ch (195.186.130.196), Dst: 192.168.1.26 (192.168.1.26) User Datagram Protocol, Src Port: 60498 (60498), Dst Port: commtact-http (20002)
> Source port: 60498 (60498)
> Destination port: commtact-http (20002)
> Length: 26
> Checksum: 0xacbd [correct]
> [Good Checksum: True]
> [Bad Checksum: False]
> ITU-T Recommendation T.38
> [Stream setup by SDP (frame 1963)]
> UDPTLPacket
> seq-number: 2
> primary-ifp-packet
> type-of-msg: t30-data (1)
> t30-data: v21 (0)
> data-field: 1 item
> Item 0
> Item
> field-type: hdlc-data (0)
> field-data: FF
> Reassembled in: 2008
> error-recovery: secondary-ifp-packets (0)
> secondary-ifp-packets: 3 items
> Item 0
> Item
> type-of-msg: t30-indicator (0)
> t30-indicator: v21-preamble (3)
> Item 1
> Item
> type-of-msg: t30-indicator (0)
> t30-indicator: no-signal (0)
> Item 2
> Item
> type-of-msg: t30-indicator (0)
> t30-indicator: no-signal (0)
> [MALFORMED PACKET or wrong preference settings]
>
> 0000 00 20 22 32 2a 70 00 0f cc 4b d8 6c 08 00 45 28 . "2*p...K.l..E(
> 0010 00 2e 00 00 40 00 fa 11 78 55 c3 ba 82 c4 c0 a8 ....@...xU......
> 0020 01 1a ec 52 4e 22 00 1a ac bd 00 02 06 c0 01 80 ...RN"..........
> 0030 00 00 ff 00 03 01 06 01 00 01 00 00 ............
>
> UDPTL
> 00
> 02 sequence number = 2 (coded on 2 octets, range of 64K)
> 06 ???
> c0 1100 0000
> first bit 1 = optional data-field is present
> second bit 1 = choice 1 (t30-data)
> 4 bits 0 = enumerated value 0 (v21)
> 4 bits 0 = padding
> 01 1 element in sequence of sequence (data-field)
> 80 first bit 1 = field-data is present, 3 next bits 0 = hdlc-data, other bits = padding
> 00
> 00 length = 1, constrained whole number coded on 2 octets (n-1 = 0)
> ff data
> 00 first bit 0 = choice secondary-ifp-packets, other bits = padding
> 03 semi-constrained whole number, number of elements in sequence of = 3
> 01 ???
> 06 ???
> 01 ???
> 00 ???
> 01 ???
> 00 ???
> 00 ???
>
> Can someone help me? Is that a bug or what's wrong with that T.38 packet?
>
> Thank you.
>
> C?dric Pillonel
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: t38_small.pcap
> Type: application/octet-stream
> Size: 120880 bytes
> Desc: t38_small.pcap
> Url : http://www.wireshark.org/lists/wireshark-users/attachments/20081023/668736aa/attachment.obj
>
> ------------------------------
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
> End of Wireshark-users Digest, Vol 29, Issue 38
> ***********************************************



Get news, entertainment and everything you care about at Live.com. Check it out!