FAKULTI TEKNOLOGI KEJURUTERAAN

ELEKTRIK DAN ELEKTRONIK UNIVERSITI

TEKNIKAL MALAYSIA MELAKA

TELECOMMUNICATION SWITCHING SYSTEM

BEET3393 SEMESTER 2 SESI 2017/2018

LAB 2: TELECOMMUNICATION PROTOCOL ANALYSIS

NO. STUDENTS' NAME MATRIC. NO.

1.

2.

3.

PROGRAMME 3 BEET

SECTION /
GROUP

DATE

1.
NAME OF
INSTRUCTOR(S)
2.

EXAMINER’S COMMENT(S) TOTAL MARKS

Rev. Date Author(s) Description
No.
1. Update to new UTeM logo
1.0 30 Jan 1. Fakhrullah Idris
2019 2. Win Adiyansyah Indra 2. Update faculty's name
3. Change "course" to
"programme"
4. Remove verification stamp
5. Update Content
1.0 OBJECTIVES
1. To learn basic protocol analysis with Wireshark
2. To learn how to analysis basic VoIP data flow and related protocols such as SIP and
RTP

2.0 EQUIPMENT

1. PC or laptop installed with Wireshark.

3.0 SYNOPSIS & THEORY

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting,
analysis, software and communications protocol development, and education. Originally named
Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.

A network packet analyzer will capture network packets and display the packet data as
detailed as possible. You could think of a network packet analyzer as a measuring device used to
examine what's going on inside a network cable, just like a voltmeter is used by an electrician to
examine what's going on inside an electric cable.

Here are some examples that people use Wireshark for:

• network administrators use it to troubleshoot network problems
• network security engineers use it to examine security problems
• developers use it to debug protocol implementations
• people use it to learn network protocol internals

Menu
Main Toolbar
Filter Toolbar

Packet List
Pane

Packet Detail
Pane

Packet Bytes
Pane

Status Bar
Figure 1.1 – Main Interface of Wireshark
Wireshark's main window consists of parts that are commonly known from many other GUI programs.

 The menu is used to start actions.

 The main toolbar provides quick access to frequently used items from the menu.

 The filter toolbar provides a way to directly manipulate the currently used display filter.

 The packet list pane displays a summary of each packet captured. By clicking on packets in
this pane you control what is displayed in the other two panes.

 The packet details pane displays the packet selected in the packet list pane in more detail.

 The packet bytes pane displays the data from the packet selected in the packet list pane, and
highlights the field selected in the packet details pane.

 The status bar shows some detailed information about the current program state and the
captured data.

In this lab, Wireshark will be used to examine and analyze packets captured by a NIC and then save as
a file, known as trace file.
4.0 RESULTS

Part A
1.

2.
(a) What is the total number of packets in this trace file?
- 59
(b) What is the number of packets being displayed?
- 59
3.

(a) What is the highest layer protocol in this frame?

(b) What is the destination IP address in this frame?
- Dst 192.168.10.100

4.
(a) How many bytes of data have been captured for this frame?
- 339bytes captured
(b) What is the destination MAC address?
-
(c) What is the source port number?
- Src port : sip (5060)
5.

(a) What is the length this UDP segment?

- 305

6.

(a) What is the SIP URI of the receiver?

- sip (5060) *tbc

(b) What is the status code?

- Status-Line: SIP/2.0 100 Trying
7.
 (a) Which protocol field do these hexadecimal number belong to?
- SIP from address : sip : 6003@192.168.10.12:5060

Part B : Display filter of wireshark

1.

2. What is the number of packets being displayed in the Packet List pane?

- 15

3.

4. (a) What is the number of the RIP packets being displayed now?

- 519

5.
 (a) What is the total number of ICMP and RTCP packets in the trace file?
- 12

10.
(a) What is the IP address that send(s) out packet with a UDP source port number 5060?
- 192.168.10.12 and 192.168.10.100

(b) What is/are the IP address send(s) out packet with a TCP source port number of 139
- 192.168.10.3
11.

(a) Which IP address is having Huawei MAC address?

- 192.168.10.10

12.
(a) Application layer protocol of the packets?
-RTCP
PART C
1.

(a) Average packets per second : 16.817 sec

Average byte per second : 3489.733 sec

2.
 (a) How many percent of packets belongs to TCP traffic?
- 18.16%
(b) How many bytes are RTP traffic?
- 108524 bytes
(c) What are the layer 3 protocols in the trace file?
- i. Transmission Control Protocol
- ii. User Datagram Protocol
- iii. Internet Protocol version 6

3.
(a)

(b) and (c)

(d)

(e)
4.
(a)

(b)

5.
8.
(a)
10.
(a)

Part D
2.
a) b) c)
4.
a) b) c)
6.
a) b) c) d)
9.

10.
11.
(a)
12.
QUESTIONS

Part A: Introduction to Pane Interface of Wireshark

1. Refer to the “status bar” (at the bottom of the Wireshark window) and answer the
following question:
a. What is the total number of packets in this trace file?
- 59 Packets
b. What is the number of packets being displayed?
- 59 Packets

2. In the “Packet List Pane” as shown in Figure 4.1, click on frame “No. 5” in Wireshark. The
selected frame will be highlighted. Answer the following question:
a. What is the highest layer protocol in this frame?
-5
b. What is the destination IP address in this frame?
-192.168.10.100

3. Refer to the “Packet Detail Pane” of the same frame No. 5, as shown in Figure 4.2 (Note:
If another frame in Packet List pane is highlighted, the content in Packet Detail pane will
change). Answer the following question:

a. How many bytes of data have been captured for this frame?
-339 byte
b. What is the destination MAC address?
-00:23:8b:fc:36:77
c. What is the source port number?
-Sip(5060)

4. Click on the ‘+’ sign next to “User Datagram Protocol”, and more information will be
displayed. Answer the following question:

a. What is the length this UDP segment?

- 305
5. Click on the ‘+’ sign next to “Session Initiation Protocol”, and more information will be
displayed. Answer the following question:

a. What is the SIP URI of the receiver?

- SIP/2.0
b. What is the status code?
-101 Trying

6. Refer to the “Packet Bytes Pane” (at the bottom of Wireshark) of the same frame No. 5, as
shown in Figure 4.3. Answer the following question:

a. Double click on the value “49 4e 56 49 54 45” (line #”0130”, as shown in Figure 4.3), and
refer to “Packet Detail Pane”. Which protocol field do these hexadecimal numbers belong to?
- IN VITE , SIP layer

Part B: Display Filter of Wireshark

1. In the “Filter Toolbar”, type “sip” as shown in Figure 4.5 and click “Apply” at the right of
the “Filter Toolbar”.

a. What is the number of packets being displayed in the Packet List pane? (Please refer to the
status bar)

Packet: 782, Displayed:15

1. Type “rtp” this time in the Filter text box and then click “Apply”. After answering the
question, please click on “Clear” again.

a. What is the number of RIP packets being displayed now? (Please refer to the status bar)
- Displayed: 519
2. Figure 4.6 shows the logical operator of the display filter. In Figure 4.7, the “or”
operator is used in “icmp || rtcp”. The filter will select either ICMP or RTCP. The resultant
displayed packets should include both icmp and rtcp.

a. What is the total number of ICMP and RTCP packets in the trace file?
- 12

4. After clicking “OK”, the expression will appear in the Filter text box. Click “Apply”. Click
“Clear” after the questions have been answer.

a. What is/are the IP address(es) that send(s) out packet with a UDP source port number of
5060?
- 192.168.10.12 @ 192.168.10.100

b. Using the similar concept illustrated above, what is/are the IP address send(s) out packet
with a TCP source port number of 139 (Hint: tcp.srcport == 139)?
- 192.168.10.3

3. The following feature is also useful to filter on the vendor identifier part (OUI) of the
MAC address. Frames from a specific device manufacturer can be selected, (e.g. for Huawei
equipment only): eth.src[0:3] == 54:39:df, as shown in Figure 4.10. The notation stands for
the first 3 bytes of the source MAC address. The [0:3] means 3 bytes starting from offset 0 (in
bytes).

a. Which IP address(es) is/are having Huawei MAC address? (Click “Clear” after this)
- 192.168.10.10

4. Displays the packets with destination IP address equals to 192.168.10.100 and source
IP address equals to 192.168.10.30, as shown in Figure 4.11.
a. Which is the application layer protocol of these packets? (Click “Clear” after this)
- RTCP
Part C: Basic Statistics of the Trace File

1. In the “menu”, click on “Statistics” and then “Summary”. After answering the question,
close the “Summary” dialog box.
a. What is the “average packets per second” of the trace files?
- 16.817 sec
b. What is the “average bytes per second” of the trace files?
- 3489.733 sec

2. Click on “Statistics” and then “Protocol Hierarchy”. The protocol hierarchy dialog pops up
as shown in Figure 4.12. The protocol hierarchy shows a dissection per OSI layer of the
displayed data. After answering the question, close the dialog box. (Note: Click on the ‘+’ to
obtain more information)

a. How many percents of packets belongs to TCP traffic?

-18.16%
b. How many bytes are RTP traffic?
- 108524 bytes
c. What are the layer-3 protocols in the trace file?
- Transmission Control Protocol
- User Datagram Protocol
- Internet Control message Protocol v6

2. Click on “Statistics” and then “Conversations”. For TCP/IP suite, there are five active
tabs for Ethernet, IPv4, IPv6, TCP and UDP conversations, as shown in Figure 4.13. A
"conversation" represents the traffic between two hosts. The number in the tab after the
protocol indicates the number of conversations. After answering the question, close the dialog
box.

a. Click on the “Ethernet” tab. How many different MAC addresses are there?
- 5 differences

b. Click on “IPv4” tab. What are the unicast IP addresses?

- 192.168.10.3 and 192.168.10.100

c. In “IPv4” tab, which IP address has sent out the most packets?
- 192.168.10.100 - 300 packets

d. Click on the “TCP” tab. Which pair of IP addresses were having SSH conversation?
- 192.168.10.100 - 192.168.10.10

e. Click on the “UDP” tab. Which pair of IP addresses were having SIP conversation?
- 192.168.10.12 - 192.168.10.100

3. Click on “Statistics” and then “Endpoints”. The endpoints provide statistics about
received and transmitted data on a per machine base. The number after the protocol indicates
the number of endpoints. After answering the question, close the dialog box.

a. Click on the “IPv4” tab. How many packets are received by IP = 192.168.10.101?
-4

b. Click on the “UDP” tab. Which socket (IP:port) has transmitted the most bytes?
- 192.168.10.10 , Transmit Byte=64024

4. The following Graph Analysis window pops up, showing the graph flow of SIP and
RTCP, as shown in Figure 4.17.

a. Based on the graph, which IP address is most likely the SIP server? Which IP
addresses are SIP clients (IP phones)? (Close the graph flow windows after this)
- 192.168.10.12
6. A “Follow UDP Stream” content window will pop up. (Close the windows after answering
the question)

a. What is the name of User Agent (Hint: Click on the “Find” button and type in User-Agent.)
- Huawei OpenEye V3.1
Part D: Telephony

1. Go to “Telephony” => “SIP”. A small dialog box will pop up. Leave the Filter text box
blank, and click on “Create Stat”. A SIP statistics window will be shown. Answer the
following questions:
a. How many SIP packets are there in the trace file?
- 7 packets
b. How many SIP success packets are there in the trace file?
- 2 packets
c. What are the SIP request methods found in the trace file?
-ACK, INVITE, BYE

2. Go to “Telephony” => “SIP”. Answer the following questions:

a. How many SIP packets are there in the trace file?
- 16 packets
b. How many SIP success packets are there in the trace file?
- 6 packets
c. What are the SIP request methods found in the trace file?
ACK, INVITE, REGISTER, SUBSCRIBE, NOTIFY, BYE

1. Go to “Telephony” => “RTP” => “Show all streams”. A “RTP Streams” windows will
pop up, as shown in Figure 4.20. Click on the first line (Source Address = 192.168.10.100,
highlighted) and then click on “Analyze”.

a. Which packet has the maximum delta, and what is the value of the maximum delta?
- Packet 134, 22.00ms

b. Which packet has the maximum skew, and what is the value of the maximum skew?
- Packet 70, 15.56ms

c. What is the minimum bandwidth achieved by this RTP stream?

- 1.60kbps
d. What is the mean jitter?
- 0.34ms

2. Lastly, go to “Telephony” => “VoIP Calls”. The “VoIP dialog box” will pop up, as
shown in Figure 4.25.

a. What are the “phone numbers” of the two IP phones?

- 6003-0100
6.0 DISCUSSION

Answer all questions and discuss your result

Wireshark is a free and open-source packet analyzer. It is utilized for system

investigating, examination, programming and correspondences convention improvement, and
training. Initially named Ethereal, the undertaking was renamed Wireshark in May 2006
because of trademark issues. Wireshark gives the client a chance to put organize interface
controllers into promiscuous mode (whenever bolstered by the system interface controller),
so they can see all the traffic visible on that interface including unicast traffic not sent to that
arrange interface controller's MAC address. Be that as it may, while capturing with a packet
analyzer in promiscuous mode on a port on a system switch, not all traffic through the switch
is fundamentally sent to the port where the capturing is done, so catching in promiscuous
mode isn't really adequate to see all system traffic. From part A we can see it show the
number of packet in trace file from the router. It’s also show the SIP URI and also the status
of the packet.

For part B, we were required to show the filter of wireshark. There two kind of filter
which is “capture filter” and “display filter”. The capture filter is utilized as to restrict the
span of caught information to abstain from producing a vast follow record. The display filter
is utilized to dissect the caught information and license the client to look precisely the client
need. In the accompanying activity, the reason for this step is the display filter. At the filter
there were a shortterm like and, or, xor and not. Every one of this had diverse capacity and
short key. Filter essentially to alter the bundle turns out to be more fix and straightforward.
It’s simply show just the one that we have to see.

In spite of the fact that, in part C we were going to do the essential statistics of the
follow file. Wireshark provides a wide scope of network statistics. These statistics run from
general data about the loaded capture file (like the quantity of captured parcels), to statistics
about explicit conventions General statistics, for example, "Summary about the capture file",
"Convention Hierarchy of the captured packets", "Conversations for example traffic between
explicit IP addresses", "Endpoints for example traffic to and from an IP locations" and "IO
Graphs visualizing the quantity of parcels (or comparable) in time".
 Last but not least, for part D we were required to do telephony in wireshark.
Wireshark gives a wide scope of telephony related network statistics which can be gotten to
by means of the Telephony menu. These statistics run from explicit signalling protocols, to
analysis of signalling and media streams. Whenever encoded in a good encoding the media
stream can even be played.

7.0 CONCLUSION

From the lab session, we are able to explore the functionality of Wireshark software.
Besides that, we are also able to study about the basic protocol analysis with Wireshark
software. Lastly, we are able to analyse the basic VoIP data flow and related protocols such as
SIP and RTP. We have learned many important knowledge in this lab session.