Capturing handshake between a SIP handset & PBX

retag add tags

Hello,

First of all apologies for the basic question.

I'm trying to capture the handshake packets when a SIP handset registers with a PABX & i'm struggling.

I enter the PBX details inc usernames, passwords, etc into the SIP handset. Then i unplug the handset & start the Wireshark then plug it back in.

Once the handset has booted back up I stop the trace & use the display filter to look at the ip address of the PBX to hopefully find the acknowledgement between the PBX & SIP handset but nothing appears. The PBX confirms the handset is registered.

Any idea's?

Thanks. Lee.

Lee Wolstencroft

asked 2021-02-05 14:36:48 +0000

edit flag offensive 0 remove flag close merge delete

Comments

You'll need to describe your capture set up. What is the network relationship between the PBX, the handset and the host on which you're performing the Wireshark capture?

grahamb (2021-02-05 15:08:37 +0000) edit

So the PBX, SIP handset & PC are all on the same subnet.

Does this answer your question?

Thanks. Lee.

Lee Wolstencroft (2021-02-05 15:40:55 +0000) edit

Not really, how are they connected, presumably there's some sort of switch involved?

grahamb (2021-02-05 16:00:29 +0000) edit

Okay sorry, so the PBX is connected to a Netgear GS728TP switch. This switch is connected to a Zyxel 8 port switch where my SIP device & PC is connected to.

Lee Wolstencroft (2021-02-05 16:04:38 +0000) edit

Have you considered your capture setup?

Jaap (2021-02-05 16:33:10 +0000) edit

add a comment see more comments

1 Answer

Sort by

oldest

newest

most voted

You have a switched network and as it stands Wireshark on your PC will not see the traffic between the PBX and the handset.

The link @Jaap posted details some methods on how to capture in a switched network.

23.8k

grahamb

answered 2021-02-05 17:22:13 +0000

edit flag offensive 0 remove flag delete link

Comments

Great thanks. I'll take a look.

Lee Wolstencroft (2021-02-05 17:30:55 +0000) edit

So just to be more specific in my set-up:

Netgear GS728TP Managed Switch - PBX Connected to Port 8 Netgear GS728TP Managed Switch Port 9 -> Connected to the Zyxel Switch Port 1

SIP handset connected to the Zyxel switch in port 2 Laptop running Wireshark connected to the Zyxel switch in port 3

So which port(s) do i need to be mirroring & which would be the probe?

Thanks. Lee.

Lee Wolstencroft (2021-02-05 19:32:01 +0000) edit

If the Zyxel switch can mirror ports you should mirror port 2, the handset, to port 3, the laptop with the capture software.

grahamb (2021-02-05 20:01:45 +0000) edit

Thanks, so on the Zyxel it does have the option to mirror ports.

So, this is what I have set & still not getting anything which shows the IP handset communicating with the PBX which is plugged into port 8 of the Netgear switch.

Zyxel Mirror Port settings: Monitor port -> Port 2 (SIP Handset Port) Egress Acting Port -> 3 (PC) Ingress Acting Port -> 3 (PC)

Lee Wolstencroft (2021-02-07 16:30:14 +0000) edit

Unfortunately I have no experience whatsoever on Zyxel devices so can't offer any advice on that aspect.

I'm assuming that your are capturing on the correct interface (the one connected to the Zyxel) and have promiscuous mode turned on, it's on by default (Wireshark menu -> Capture -> Capture Options).

grahamb (2021-02-07 16:51:29 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

Capturing handshake between a SIP handset & PBX edit

Comments

1 Answer

Comments