Project

General

Profile

WireSharkPage » History » Version 6

osmith, 09/07/2018 02:50 PM
outdated, link to general wireshark page

1 6 osmith
The instructions on this wiki page are outdated, see #3531 to resolve this.
2
3
*See [[cellular-infrastructure:Wireshark]] for general installation and usage instructions related to Osmocom.*
4
5
6
---
7
8 2 matt
h1. Extending Wireshark 
9 3 matt
10 5 matt
The WireShark packet sniffer normally doesn't support APCO P25. If you want to sniff P25 traffic using WireShark then you'll need to patch the sources and rebuild it.
11 1 zecke
12 5 matt
h2. Downloading WireShark
13 3 matt
14 5 matt
You first need to obtain the source code for WireShark. The stable release of WireShark is available from the [http://www.wireshark.org/download.html downloads section of the WireShark web-site]. On that page you should be go to the "Get WireShark" for the stable release (1.8.5 at the time of writing). Click on "Source Code" to download the file.
15 1 zecke
16 5 matt
h2. Unpacking WireShark
17 3 matt
18 1 zecke
To unpack the source tree you need to open a shell and execute the following commands:
19 2 matt
@
20 1 zecke
mkdir -p SourceCode
21
cd SourceCode
22
tar xjvf ~/Downloads/wireshark-1.8.5.tar.bz2
23
cd wireshark-1.8.5
24 2 matt
@
25 5 matt
(Remember your download directory may not be in ~/Downloads and the version number of WireShark you download maybe different to that used here).
26 1 zecke
27 5 matt
h2. Patching WireShark
28 3 matt
29 1 zecke
Once you've downloaded the wireshark source tree, check out p25 plugin:
30
31 4 matt
@(cd plugins && svn checkout http://op25.osmocom.org/svn/trunk/wireshark/plugins/p25 p25)@
32 1 zecke
33 5 matt
This adds the necessary code to WireShark for it to decode APCO P25 messages. A few small changes also need to be made to the !WireShark tree outside of the plugins directory. To do this the easiest way is to apply the appropriate patch. This can be done as follows:
34 1 zecke
35 2 matt
@
36 1 zecke
svn checkout http://op25.osmocom.org/svn/trunk/wireshark/patches
37
patch -p1 < patches/wireshark-1.8.5.patch
38 2 matt
@
39 1 zecke
40 5 matt
Of course, it is inevitable that you will download a WireShark version for which we haven't provided a patch. Don't fret - the patches will probably work for your version but if it fails to apply you may need to download one an earlier version of WireShark for which we have a patch or make the changes manually using the existing patch as a guide.
41 1 zecke
42 5 matt
h2. Building + Installing WireShark
43 1 zecke
44
You may need to install prerequisites beforehand. These are a minimum set for Ubuntu/Debian based systems:
45 2 matt
@
46 1 zecke
sudo apt-get install bison flex libgtk2.0-dev libpcap-dev
47 2 matt
@
48 1 zecke
49 5 matt
The standard build for wireshark requires that ./autogen.sh be run first. To compile WireShark run the following commands:
50 1 zecke
51 2 matt
@
52 1 zecke
./autogen.sh && ./configure && make clean && make
53 2 matt
@
54 1 zecke
55
If it compiles cleanly then you can install it as follows:
56
57 2 matt
@
58 1 zecke
sudo make install
59 2 matt
@
60 1 zecke
61 5 matt
h2. Using WireShark to sniff P25
62 1 zecke
63 5 matt
Now you've got a modified WireShark installed it should be a simple matter to start the receiver and use WireShark to capture its output. To do so simply sniff on your computer's network interface and use the following capture filter: "udp port 23456". At present all P25 traffic is sent to the multicast address 224.0.0.1 so it should be visible on other computers on your subnet - this allows you to sniff in one place and monitor from another.
Add picture from clipboard (Maximum size: 48.8 MB)