Wednesday, August 17, 2011

Use Wireshark to monitor a VoIP phone

In a typical LAN environment, today are in use routers and switches.
This improves a lot the performances of a network but make more complicate to monitor a specific appliance, like a VoIP phone. 
In order to capture the traffic on a specific node, assuming is not possible to run a monitor tool on the node itself, it is necessary to use a tool capable to be put between the nodes, or use a switch/router with monitor capabilities.
The main monitor tool in this discussion is the program Wireshark.
There is an article about this issue  on the Wiki for Wireshark .
Since I don't have a switch with monitor capabilities,  the fastest way to set up a generic monitor machine is to use a laptop, with two NIC cards, acting as bridge and running Wireshark on one of the two NIC or on the bridge itself.

Shopping list
It is needed :

  • 1 laptop with Linux installed, with two ethernet ports
  • 1 PCMCA  NIC if the laptop  has already an embedded NIC
  • bridge utilities
  • Wireshark

The environment

The machine used to build the monitor is a Gateway Tablet running Ubuntu 11.04, plus a LinkSys PCMCA NIC  card.
The first step, recognizing the extra NIC card, should not pose any problem.
In my case the LinkSys NIC was recognized and configured automatically by the OS as eth1.
The next step is to install  Wireshark from the Ubuntu repository, and enabled it to capture packets from eth0 or eth1.
Here the configuration  adopted for the machine :
Bridge setting
After preparing the hardware and tested both the ethx ports, it is necessary to set up the machine to act as a bridge, in order to have packets received from the eth0 port sent to the eth1 port, and viceversa.
Without such functionality, the two networks are isolated, i.e. the phone can not receive anything from the network.
In order to simplify the configuration, I forced on both the NIC a manual address.

    for the eth0
    for the eth1.

After opening a terminal,  install the  brctl  program (sudo apt-get install bridge-utils).
The bridge-utils are not installed by default in the Ubuntu 11.04 but are available in the repository.
At this point I created, configured and activated  a bridge between the two NICs.
  • sudo brctl addbr wshark
    Create a new bridge called wshark
  • sudo brctl addif wshark eth0 Add the eth0 to the wshark bridge
  • sudo brctl addif wshark eth1
    Add the eth1 to the wshark bridge
  • sudo brctl stp wshark on Enable the STP
After creating the bridge, it has to be activated.
To do so, simply use the ifconfig command :
sudo ifconfig wshark up
At this point the bridge should be  working. 

Running Wireshark

After the bridge is activated is possible to run Wireshark.
Among  the available interfaces to use to capture traffic, it will be present a wshark interface that is the bridge.
To capture data is possible to use it.
That's it.

1 comment: