About

Wireshark is the world's foremost network protocol analyzer. It let you capture and interactively browse the traffic running on a computer network. More information about Wireshark can be found here

Install

To install Wireshark put this command to Terminal:

yum -y install wireshark

Usage

Capture all traffic

After that you can use command:

tethereal -i eth0 -w /home/capture.pcap

Please note that in this example and other examples bellow we are using network interface eth0. When you run this command in your server, your interface can have other name (eth1, em1, etc), so you need to put your server actual interface name.

To save a dump of packets please stop capturing by pressing ctrl+c

Packets will be saved to directory /home/capture.pcap

You can send captured file capture.pcap from your server and open with Wireshark GUI and analyse the packets.

Capture only SIP traffic

If you have many calls, capturing all traffic will result in huge file after few minutes. Often, we are only interested in SIP traffic (which by default is sent/received on 5060 port), so to capture only SIP traffic you can use this command:

tethereal -i eth0 -w /home/capture.pcap port 5060

Capture traffic into split files

If complete traffic trace is needed, and you need to leave trace for a long time it is convenient to split trace into smaller files, as otherwise Wireshark can take very long time or crash if we want to open very large file. This can be achieved using tcppdump command:

tcpdump -i eth0  -s 0 -C 200 -Z root -w capture

This command will create a new file once current file reach 200MB.

To capture traffic from/to specific IP you can use this command:

tcpdump -i eth0 host 1.2.3.4 -s 0 -C 200 -Z root -w capture

To capture only SIP traffic you can use this command:

tcpdump -i eth0  port 5060 -s 0 -C 200 -Z root -w capture

Additional notes

You can analyse network packets on real time on server using command:

tshark

More options with command tshark you can find here.