CODEWITHSUNDEEP
wiresharksniffing
Hoon
Hoon

Reputation: 397

Sniffing SIP packet with Wireshark from another PC

I'm trying to sniff SIP packets between two PC.enter image description here

Network topology is just like this one(Hope you dont mind some korean). So to explain the image, Client A is trying to call through VoIP to Client B, and Snipper PC connected to same network through dummy hub, is trying to sniff SIP packets using Wireshark. The call is successful bewtween Client A and B using X-Lite, and from Client A and B, SIP packets can be sniffed with Wireshark, but when I try from other PC that connected to the same network but not included in the call, Wireshark doesn't show SIP or RTP packets. How can I sniff SIP packets of two communication PC from other PC?

Upvotes: 0

Views: 1463

Answers (2)

nnovich-OK
nnovich-OK

Reputation: 3153

According to scheme, client A and B are connected using L2 switch(es), sniffing PC is connected to the same L2 segment via hub. L2 switch tries routing packets directly to destination based on MAC-address, so other devices connected to the same L2 switch doesn't receive copy of packet, therefore sniffing fails.

You can fix this in two ways:

  1. plug client A or client B directly to the same hub as sniffing PC.
  2. setup port mirroring on L2 switch explicitly instructing it to forward all necessary packets to port, which is used by sniffing PC. In this case, hub isn't needed.

There is a detailed tutorial on these and other ways to setup capture with very helpful pictures.

Upvotes: 1

dnarsay
dnarsay

Reputation: 71

Wireshark on your PC will capture the packets that are seen by its network interface.

Is your topology with dummy hub not mirroring the packets between A and B to PC?

Here are some alternate solutions:

1. For MS Windows PC, you can use RPCAP to remotely capture the packets, as described here.
It requires RPCAP running on those servers though.

https://www.wireshark.org/docs/wsug_html_chunked/ChCapInterfaceRemoteSection.html

2. If you want to remotely capture the traffic of Linux server, and if you have privilege to run tcpdump, you can install plink.exe on your Windows PC
(It is part of putty bundle), and run as:

plink.exe -ssh -pw "your passwd" root@ip "tcpdump -ni eth0 -s 0 -w -not port 22" | "path to local wireshark.exe" -k -i -

  1. An alternate to #2, for sudo user: create a named pipe, and run tcpdump on that server, while plink will only "cat" the pipe data.

    mkfifo /tmp/test.fifo

    chmod +r /tmp/test.fifo

    sudo tcpdump -i eth0 -w /tmp/test.fifo -s 0

    plink.exe -ssh -pw "passwd" user@ip "cat /tmp/test.fifo" | "path to local wireshark.exe" -k -i -

Upvotes: 0

Related Questions