What is Wireshark? How to use it?

In this article, I will tell you about the Wireshark program and I will explain how this program provides an analysis of SIP traffic in VoIP communication, by mentioning the tricks and showing them with examples. For those who do not need this technique technically, I will show how the interviews can be listened to give a little more colorful content. Listening to interviews can be used from time to time to analyze sound problems.

People who already know how to use Wireshark can go directly to the second head, the SIP VoIP Traffic Analysis section with Wireshark.

What is Wireshark? How to use it?

Wireshark is a time-saving program that allows network traffic to be monitored over a graphical interface. Instant network traffic can be monitored on the computer where the application is installed, or Wireshark can be used to examine previously recorded files.

You can download the free version of Wireshark, which is a free operating system, from http://www.wireshark.org/.

When the application is downloaded and installed, an application named WinPcap will be installed on the Windows computer with this application. WinPcap is the program that enables the capture of instant Ethernet traffic of the computer on which it is installed. Wireshark gives you the opportunity to monitor / review Ethernet traffic over a graphical interface using data from this application.

Using Wireshark

When the application is launched, a screen similar to the above will open. Here, Ethernet cards detected on the computer under the Start section will be listed. If one of these cards is selected and then the Start button is clicked, the application starts to log the network traffic of the relevant Ethernet card:

Wireshark screen

Here, the traffic flowing in the upper section can be seen instantly, from which address to which address, when, and in which protocol packets are gone. In the lower part, the contents of each package can be examined in different layers (You may also see the contents of the package in the third window in the form of Bytes in the bottom, I closed this section by removing the Packet Bytes selection box under View, because it does not work for me).

By entering a wide variety of filters in the Filter section, only the traffic of interest can be displayed. Filter is a very important part because it often creates a lot of packet information pollution other than the traffic to be examined and makes it difficult to investigate. You can use multiple filters together with expressions like and, or.

Let's do a simple example analysis here and let's see if the DNS server is working properly on Wireshark.

In Wireshark, I wrote DNS so that no unnecessary traffic is shown to the Filter section, only DNS traffic is displayed and I pressed Enter. Then, when I saw the log I wanted, I stopped the log acquisition by pressing the Stop button shown in red above:

Wireshark DNS server

The IP address of the computer I received the relevant log is 192.168.76.133 and the DNS server's address is 192.168.76.133. I can see them in the traffic section in the Source and Destination columns. As far as I can see, my computer sends the DNS query to the DNS server, followed by a response from the DNS server. I can also see that the IP address comes from the DNS server as 188.132.200.15 in the Info section.

Here; You could already see if the IP address was resolved from the command line, you can say. However, in the problem, you will experience, queries may be made for different address types from different applications. Using Wireshark, we can see what is happening in a similar way for all problems over the network, that is, from the source.

Source: SYSNETTECH Solutions