Capturing Ooma traffic for IP Address

asked 2023-02-01 20:22:40 +0000

MBofMB gravatar image

I've assembled a network tap between my Ooma (VOIP) device and router. I'm not sure how to setup WireShark to capture the data. I'm a rookie.

Any advice/help would be greatly appreciated.

The point of all this is to record the IP addresses of a couple of scammers in Europe and forward it to some authorities that could reduce their footprint!

Thank you for your time and efforts.

* Wireshark won't allow a pic of the tap until I'm acquired 60 points *

edit retag flag offensive close merge delete

Comments

assembled a network tap

Does this mean a "DIY network tap" like the ones on the Capture using a network tap wiki page?
Or is it a piece of commercial gear?

Chuckc gravatar imageChuckc ( 2023-02-02 01:20:00 +0000 )edit

Not sure what you need here.

Start by checking How To Set Up a Capture to see if this answers your question.

When you are capturing traffic with Wireshark, you have two main options:

  1. Capture everything then use Display Filters to find the packets/protocols you are interested in.

  2. Capture only what you need using Capture Filters so that you only save specific packets/protocols.

If you know what you want then option 2 makes smaller PCAP files but if you don't then capture everything.

Spooky gravatar imageSpooky ( 2023-02-02 01:27:36 +0000 )edit

I assembled a DIY system using 2 Northern Telecom RJ45 dual plate wall units. They are toned out correctly. It's the Wireshark settings etc. I was asking about.

MBofMB gravatar imageMBofMB ( 2023-02-02 01:28:03 +0000 )edit

Spooky, Thanks for some suggestions. I don't know what to filter since I don't know what to expect in the stream. How do you identify the packets that would have the required IP addresses that are valid?

MBofMB gravatar imageMBofMB ( 2023-02-02 01:32:09 +0000 )edit

Chuckc, I assembled a Passive Ethernet Tap such as in Figure 2 in: http://www.winsnort.com/tutorials/art...

MBofMB gravatar imageMBofMB ( 2023-02-02 01:44:05 +0000 )edit

You can start by running a capture to see what packets are seen right now and to try to understand what event is generating these packets. If you use your TAP on the Ooma then I hope you'll mostly see VoIP-related traffic. This will give you an idea of what the baseline is for your device. Keep that PCAP file.

When the scammers are scamming then capture again and hopefully you can compare with the first PCAP and see what's new.

Use filter ip.addr == A.B.C.D to see all packets for a single IP address (either to or from that IP address)

I don't know how your provider works but it is possible you may not see anything but your provider's IP space. They may be using an intermediate device between "the Internet" and their service before sending you the traffic and you ...(more)

Spooky gravatar imageSpooky ( 2023-02-04 01:31:05 +0000 )edit
add a comment