Question

Use WireShark to monitor the initiation, communication, and termination of a session involving any TWO of the following applications:

a) VoIP

b) A file transfer using the file transfer protocol of your choice

c) A browser session using the browser and protocol of your choice

d) A remote login using the application of your choice

e) A video gaming session involving a video game that has a TCP or UDP port assignment

You should make screenshots of the interesting parts of the session and show the initiation and termination of the session. Show information gleaned from the session such as playback of VoIP, file transfered, login credentials, video game highlights, etc.

Answer 1

a) VOIP:-

To access the VoIP calls analysis use the menu entry "Telephony->VoIP Calls...". The current VoIP supported protocols are:

• SIP

• H323

• ISUP

• MGCP

• UNISTIM

• The VoIP calls list shows the following information per call:

• Start Time: Start time of the call.
• Stop Time: Stop time of the call.
• Initial Speaker: The IP source of the packet that initiated the call.

• From: For H323 and ISUP calls, this is the calling number. For SIP calls, it is the "From" field of the INVITE. For MGCP calls, the EndpointID or calling number. For UNISTIM the Terminal ID.

• To: For H323 and ISUP calls, this is the called number. For SIP calls, it is the "To" field of the INVITE. For MGCP calls, the EndpointID or dialed number. For UNISTIM the dialed number.

• Protocol: Any of the protocols listed above
• Packets: Number of packets involved in the call.
• State: The current call state. The possible values are
  • CALL SETUP: call in setup state (Setup, Proceeding, Progress or Alerting)

  • RINGING: call ringing (only supported for MGCP calls)

  • IN CALL: call is still connected
  • CANCELLED: call was released before connect from the originated caller
  • COMPLETED: call was connected and then released
  • REJECTED: call was released before connect by the destination side
  • UNKNOWN: call in unknown state

• Comment: An additional comment, this is protocol dependent. For H323 calls it shows if the call uses Fast Start or/and H245 Tunneling.

• This image shows playback information of VOIP Calls:-

• 

**A remote login session:-

We have three cases while doing remote login:-

1. the network protocol transporting the packets is unencrypted
2. the network protocol is encrypted, and we do not have the encryption keys
3. the network protocol is encrypted, but we have the encryption keys

1. Unencrypted packets:-