Alta3 Research - Using Wireshark

This lab contains a part A, B, C, D, E and F. You should perform all sections to complete this lab. In part A, you will decode and
listen to a pre-captured RTP packet by exporting it as a *.wav file from Wireshark for playback. In Part B, you will learn how to
play captured RTP natively in Wireshark. Part C shows how to set display filters. Part D teaches how to colorize packets by
protocol. Part E is how to create VoIP flow charts. The final section, Part F, is all about applying your new skills to perform a live
Wireshark capture.

PART A – Export captured RTP to a *.wav file

1. On the Ubuntu desktop is a folder called: “wireshark_captures”.
 Double click this folder
 Double click the file called: “MGCP.cap”
 If Wireshark boots, you can skip to the next step. If you get an error message saying that the file is of unknown type,
then perform the following steps
o Click <Select Applications> button
o At the bottom of the new window that opens is a small <+> button beside the text, “Use a Custom
Command”. Click the <+> button .
o In this text bar, type: wireshark <Enter>
o Wireshark will now boot
2. In Wireshark, you’ll notice three windows, spend some time examining each:
 Window 1 - Packet list (all of the captured packets are displayed here)
o Packet Number
o Time
o Source
o Destination
o Protocol
o Info
 Window 2 - Packet details (review packet details here)
 Window 3 - Packet bytes (hex)
3. In the Packet List window, identify the “No.” column, scroll down to packet, “No. 30” and single click it.
4. At the top of the Wireshark window, within the menu, click: Telephony > RTP > Stream Analysis
5. A new window will pop open, “Wireshark: RTP Stream analysis”, click: “Save Payload…”
6. Another new window will pope open, “Wireshark: Save Payload As…”, make the following selections
 Name: test.wav
 Save in folder: student (default)
 Format: .au
 Channels: .both
 Click <OK>
7. Minimize Wireshark and any other associated windows
8. At the top of the Ubuntu Desktop, click: Places > Home Folder
9. Find the “test.wav” file you just created in this folder, double-click on it to hear it

PART B – Play captured RTP within Wireshark

10. Close the media player, and the home window. Maximize Wireshark. If you closed Wireshark, reopen “MGCP.cap” and
reselect packet “No. 30”
11. At the top of the Wireshark window, within the menu, click: Telephony > VoIP Calls
12. A new window will open, click on the only call that appears in this window (to highlight it)
13. Now click the <Player> button
14. A new window will open, click the <Decode> button
15. Another window will open, “MGCP.cap – VoIP – RTP Player”
 Be sure that the box bellow the bottom audio stream is checked (From: 192.168.200.60:16388)
 Press <Play>

Part C – Setting Display Filters

16. Close any windows opened within Wireshark (but don’t close Wireshark)
17. Locate the “Filter” textbox within Wireshark, located in the upper left corner.

© Alta3 Research http://alta3.com Using Wireshark

  In the Filter textbox type: mgcp
o Click the <Apply> button
o If you entered ‘mgcp’ with capitals, notice how nothing changes. If that’s the case, retype ‘mgcp’ in
lowercase.
o If you entered ‘mgcp’ in lowercase, notice that all packets disappear except those which are MGCP packets
o Click the <Clear> button
o Notice that the Filter textbox has been cleared, and all packets reappear (regardless of protocol)
 In the Filter textbox type: rtp
o Click the <Apply> button
o Notice that all packets disappear except those which are RTP packets
o Click the <Clear> button
 In the Filter textbox type: mgcp and rtp
o Click the <Apply> button
o Notice that all packets disappear, as a packet cannot be both MGCP and RTP
o Click the <Clear> button
 In the Filter textbox type: mgcp or rtp
o Click the <Apply> button
o Notice that all the packets disappear, except those packets which are MGCP or RTP packets.

Part D – Colorize the Display

18. Examine the toolbar at the top of Wireshark. Near the right top of the toolbar you’ll see an icon that looks a bit like a small
Rubix cube with a hand on it. If you hover the mouse over it, it will say, “Edit coloring rules…”. Once you’ve identified this
Icon, click on it.
19. A new window will open, “Wireshark: Coloring Rules – Profile: Default”
 Click the <New> button, this will open up a new window, “Wireshark: Edit Color Filter – Profile: Default”
o In the “Name” box, type: RTP
o In the “String” box, type: rtp
o Click the <Background Color…> button, this will open a new window, “Wireshark: Choose background color
for “RTP””
 Choose a color from the color ring
 Chose a shade from the interior triangle
 Click the <OK> button when you’re satisfied. This will close your current window.
o Click the <OK> button to save your new rule. This will close your current window.
 Click the <New> button (again), this will reopen the window, “Wireshark: Edit Color Filter – Profile: Default”
o In the “Name” box, type: SIP
o In the “String” box, type: sip
o Follow the same steps as before to set a background color (different than the one you picked for RTP)
o Click the <OK> button to save your new rule.
 Click the <New> button (one last time)
o In the “Name” box, type: DHCP
o In the “String” box, type: bootp
o Follow the same steps as before to choose a unique background color
o Click the <OK> button to save your new rule
 Click the <OK> button to close the, “Wireshark: Coloring Rules – Profile: Default” window

Part E - Creating VoIP Flow Charts

20. Click on packet “No. 1”
21. Just as you did earlier, now click: Telephony > VoIP Calls
 A new window will open, click on the only packet displayed
 Now click the <Graph> button
 Spend some time examining the newly displayed graph, when you’re finished, you may close both windows.
22. Click on packet “No. 1” if it is not still highlighted
23. At the top of the Wireshark window, within the menu, click: Statistics > Flow Graph
24. A new window will appear, “Wireshark: Flow Graph”, make sure the following boxes are checked
 Displayed Packets

© Alta3 Research http://alta3.com Using Wireshark

  General Flow
 Standard source / destination addresses
 Now click the <OK> button
25. The same graph is displayed as was earlier in Part E. When you are finished examining this graph, you may close any
opened windows and return to the main Wireshark screen

Part F – Performing a live Wireshark capture

26. Close Wireshark either by clicking the orange “x” in the left corner, or selecting: File > Quit
27. On the Ubuntu Desktop, near the top of the screen, locate the quick launch WIRESHARK ICON (it looks like a little blue
shark fin). Click this icon.
28. If prompted for a password, type: arg
29. It should be already, but if not, click the <Clear> button beside the Filter textbox to remove any current filters
30. At the top of the Wireshark window, just below the menu, identify the icon near the left hand side of the screen that has a
little wrench on it, and click on it. A new window will appear, “Wireshark: Capture Options”
31. From the “Interface Dropdown Menu”, select, “Pseudo-device that captures on all interfaces: any”
32. Make sure that that the following options are checked:
 “Update list of packets in real time” (check this box)
 “Hide capture info dialog” (check this box)
33. Click the <Start> button
34. Automatic scrolling in live capture may be good idea for now, however, you may choose to avoid it in the future. The
problem is that during a live capture, if you are analyzing something that occurred a few seconds ago, every time a new
packet comes in, it blows away what you are looking at and displays the new packet. This can be irritating.
35. Click the <Stop> button to stop the trace.

Lab Review Questions

 In your own words, explain what we mean when we say that SIP is a signaling protocol.
 What is the role of RTP? How is that different from SIP?
 What is an advantage of having all of the classroom devices on the 192.168.30.0/24 network?
Describe a situation where you could find Wireshark useful.

© Alta3 Research http://alta3.com Using Wireshark