Wireshark is the new name for Ethereal. It is a GUI packet sniffing program which watches your network traffic and reports on what’s going on at the network level. Ethereal has been around for years, but it is an ongoing project that just seems to be getting better all the time. Among other things, it will discriminate and display packets that are typical VoIP packets, that is SIP (Session Initiation Protocol), and IAX2 (InterAsterisk Exchange).

Set up a Wireshark capture and you are bound to find a ton of stuff that may be irrelevant. You’ll see requests for web pages, OutLook going out and checking for new mail, DNS requests (where is mxdesign.net?) and ARP broadcasts (who is 192.168.0.9?). So, one of the first things to consider is filtering the captured packets as they are being examined. This is done by using a capture “language” to create filters that are compatible with a predecessor program called tcpdump. Mike Horn has written a tutorial on these, which includes a basic set of capture filters.

I was puzzled why I couldn’t see traffic from my Asterisk/Trixbox computer on my desktop workstation. It turns out they were connected with a network switch which isolates traffic from individual devices. This makes network sniffing more difficult than in the old days when most LAN segments were connected via hubs. I ended up rummaging in the garage and found an older NetGear 16 port hub which I used to connect both stations, and Voila now I could see everything, the SIP phone calling the Trixbox, and the Trixbox calling out on the internet to Voicepulse. The Voicepulse tech support people want to see a capture file of just IAX2 packets, which should show (or not show) why my Trixbox occasionally loses the registration to the Voicepulse server. We’ll see.