Skype (a popular VoIP and IM application) uses a proprietary (and encrypted) protocol. So far Wireshark is not able to decode Skype traffic because no one has been able to reverse-engineer the protocol.
However, an effort to do so is underway and appears to be making some progress.
Another interesting link is a 2004 analysis of Skype's protocol. There's also Silver Needle in the Skype from 2006 (for the networking part look at pages 40ff). Note that both papers may be outdated and that the protocol may have changed since then (the 2006 paper definitely describes things differently from the github description).
Until August of 2014 the Skype protocol was used.
Starting in August of 2014 Skype uses Microsoft Notification Protocol 24
- Typically, Skype uses UDP as its transport protocol.
Skype typically uses a wide range of ports in order to circumvent firewalls.
Below is Wireshark's decoding of one frame from a capture on the SampleCaptures page.
Frame 215: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) Ethernet II, Src: voyager.home (00:16:e3:19:27:15), Dst: 192.168.1.2 (00:04:76:96:7b:da) Internet Protocol Version 4, Src: engmanlab10.pathology.northwestern.edu (220.127.116.11), Dst: 192.168.1.2 (192.168.1.2) User Datagram Protocol, Src Port: 15294 (15294), Dst Port: 35990 (35990) SKYPE ID: 0x15f2 0111 .... = Unknown: 0x07 .... 0111 = Type: NAT repeat (0x07) Src IP: host86-128-245-115.range86-128.btcentralplus.com (18.104.22.168) Dst IP: 0x24499eb8
Wireshark has a basic dissector for the old Skype protocol.
To use this dissector you must use the Decode-As interface to tell Wireshark to try to decode packets as Skype.
The Skype dissector has no preferences at this time. Use the Decode-As interface to select traffic to decode as Skype.
The Skype dissector also has a heuristic dissector (which causes it to examine UDP packets to guess whether they are Skype). These heuristics are disabled by default; to enable them use the Enabled Protocols interface to enable skype_udp.
The SampleCaptures page has at least one Skype capture file:
The Skype dissector has a number of fields such as skype.som_type (for the message type).
You cannot directly filter Skype while capturing. However, if you know the UDP port used (see above), you can filter on that one.
Capture only the Skype traffic over port 1234:
udp port 1234
Imported from https://wiki.wireshark.org/Skype on 2020-08-11 23:24:46 UTC