Wireshark is a widely used network analyzer that contains highly advanced analysis tools for analyzing captured data packets. It is capable of capturing nearly all types of data packets like Ethernet, wireless, Bluetooth network, etc. It contains several windows like the SIP Statistics window, ISUP message window, UCP message window, etc. for analyzing different types of data packets. It works with multiple protocols like TCP, IP, IAX2, ISUP, etc. It is mainly used by network and cyber security engineers.
SIP stands for Session Initiation Protocol which is used in establishing communication sessions for audio, video or messages data transactions. These sessions are started, maintained, and terminated using SIP along with a whole set of other protocols working on the application layer of the Open Systems Interconnection (OSI) model.
SIP Statistics Window in Wireshark:
The SIP statistics window is used to separate the SIP transactions into SIP requests and responses. It shows all the information about any response or request like whether a request/response is queued, ringing, forwarded, or trying. SIP requests: SIP request are messages which contains a request URI that tells the device at another end about what the request is for. It can be for initiation, maintenance, or termination of a communication session. Communication is done through response codes like ACK, BYE, CANCEL, DO, INVITE, INFO, etc.
SIP Response:
A SIP response is sent in reply to a request. It is created by the user agent server. SIP has mainly six types of responses which are from 1xx to 5xx.
|
Response code |
Meaning |
|---|---|
|
1xx |
These types of response codes are informative, they provide some kind of information like call progress, trying, etc. |
|
2xx |
These are used as an indication of acceptance of the request. |
|
3xx |
These are used as an indication for redirecting requests if the server is busy or due to other network problems. |
|
4xx |
These are used as an indication of failure of the request. |
|
5xx |
These are used as an indication of server error. |
The SIP statistics window can be found under the Telephony tab in Wireshark, see the below image
On clicking it, a SIP statistics window appears with request and response codes
It shows lots of information about request and response calls:-
- Request Method/Response Code: It tells whether the call is a request or a response and which request/response code is used.
- Count: It simply tells the number of times a request/response is made.
- Resent: It shows how many times a request/response is resent.
- Min Setup: It shows the minimum setup/ data fields required to send a request or receive a response.
- Avg Setup: It shows the avg setup/ data fields required to send a request or receive a response.
- Max Setup: It shows the maximum value of setup for request/response.
Along with this information, there is a filter option that allows users to filter these SIP transactions on different parameters for deep analysis. Users can also copy the captured data in CSV or YAML format.
Captured Traffic:
The above image is an example of SIP packets that are captured using Wireshark.
Conclusion:
It can be seen that a lot of information can be gathered by analyzing SIP packets. It shows the IP address of the initiator along with the state of the request and comment. It also depicts start and stops times along with some other valuable information like the origin and destination of the data packet which can be seen under From and To tab.