3

I am learning Wireshark as part of a course. I would like to know how to use the wireshark display filters for filtering traffic of a particular application. I tried using the display filter reference for Skype present on the link below: https://www.wireshark.org/docs/dfref/s/skype.html

However, I am not able to filter the Skype traffic from the capture I have. Can anybody please suggest an approach to filter Skype traffic?

I know how to filter traffic based on the source/destination IP address, protocols but I would like to know how to capture an application specific traffic eg for Skype.

Are there any other tools which would be better in filtering a particular application traffic from a complete packet capture?

Lalit Agarwal
  • 173
  • 4
  • 14

2 Answers2

2

I guess in your case there coud be helpfull rawcap.I used it to eavesdrop on my applications.Data captured by rawcap can be opened with wireshark.I was using it on loopback.You shoud be able to listen to skype as well.After you captured enought data close it with ctrl+c if i remember correctly and then open the file you saved all the informations in with wireshark

Tomas Bisciak
  • 2,801
  • 5
  • 33
  • 57
  • I am doing it offline i.e. I already have the packet capture and from that capture, I need to filter particular application packets for example only the Skype packets. Do you have any other solution for this ? – Lalit Agarwal Feb 12 '14 at 10:09
2

Skype uses a different protocol nowadays (if you're using a new Skype version). It looks like normal SSL (HTTPS) now. The old Skype dissector in Wireshark is therefore quite useless now.

Try loading the PCAP file into CapLoader and look at the long duration flows (probably to TCP port 443). Select those and export them to a new PCAP file.

Erik
  • 400
  • 1
  • 2
  • 6