Scribd
Upload
995 views9 pages

How To Analyze SIP Calls in Wireshark

This document provides guidance on how to analyze SIP calls using Wireshark by: 1. Filtering packets using expressions like "sip", "rtp", or specific call IDs 2. Viewing call information and flow sequences in the VOIP Calls list 3. Examining important SIP headers like From, To, and Contact and SDP parameters 4. Filtering and analyzing RTP streams to check for issues like codec, timing, or lost packets 5. Decoding UDP packets to RTP manually if necessary and playing back audio streams.

Uploaded by

laliaga30
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
995 views9 pages

How To Analyze SIP Calls in Wireshark

This document provides guidance on how to analyze SIP calls using Wireshark by: 1. Filtering packets using expressions like "sip", "rtp", or specific call IDs 2. Viewing call information and flow sequences in the VOIP Calls list 3. Examining important SIP headers like From, To, and Contact and SDP parameters 4. Filtering and analyzing RTP streams to check for issues like codec, timing, or lost packets 5. Decoding UDP packets to RTP manually if necessary and playing back audio streams.

Uploaded by

laliaga30
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 9

How to Analyze SIP Calls in Wireshark

Eric Jiang
Thursday at 07:59

Follow

When we face a problem like a call failed or no audio in SIP, usually we need to get the PCAP
dump file and check the packets. This article is about how to use Wireshark to analyze SIP calls.

1. Filter Expression of Wireshark


PCAP dump file contains all the protocols travel the network card, Wireshark has expressions to
filter the packets so that can display the particular messages for the particular protocol. There is
some common string list below:

Filter Description

sip filter SIP Protocol

rtp filter RTP stream

rtcp filter RTCP packets

rtpevent filter DTMF packets

ip.addr use IP address to filter packets, e.g. ip.addr==192.168.5.150 or ip.addr!=192.168.5.150

udp.srcport filter packets depend on the UDP source port, e.g. udp.srcport==10000

filter packets depend on the UDP destination port, e.g. udp.destport==20000 or udp.srcport=
udp.dstport
|| udp.destport==20000

dns filter DNS protocol


wireshark have plenty of filters for sip protocol

most common use is sip.Method and sip.Call-ID.

use sip method to filter sip messages: sip.Method == INVITE

use call-id to filter one particular sip call: sip.Call-ID==20badbbf750c497a80d63ebb8a74a213

We can also filter with some special parameter in the packet through the option 'Prepare a Filter',
select the parameter you want and click right click then you can see the menu display.
See more details about how to use Wireshark, please click Wireshark Wiki.

2. SIP Call analysis


1) List SIP calls
Use the menu entry 'Telephony > VOIP Calls', then you can see the SIP call list.

We can see the information below:

 The Start Time and Stop Time of each call.


 Initial Speaker is the IP Address of Caller.
 Caller ID and Callee ID in the From and To URI.

Select the calls you want to check, then we can see the invalid option Flow Sequence become
available. Click the Flow Sequence button we can see the graph of this call with some details:

 SIP signaling flow between different UA.


 Direction, source and dest port of RTP stream.
 Codec of the RTP stream.
2) Filter one SIP call
In SIP protocol, we can use call-id, from-tag, to-tag to identify a call. Usually, SIP entity will
generate the random call-id string for each call, so we can mark one sip call with the call-id
parameter.

See the following figure about the SIP call filtered by Call-ID.
3) SIP headers
Enable display raw for SIP message so that we don't need to expand every sip header or SDP
parameters.

There are two parts in the sip INVITE request, SIP headers, and SDP.

Just list some import sip headers here:

 From: Caller URI


 To: destination of the call
 Contact: the address for the subsequent request

Also some import parameters in SDP:

 media line: m=audio 4000 RTP/AVP 123 8 0 101


 media direction: a=sendrecv
 codec: a=rtpmap:123 opus/48000/2
 ptime: a=ptime:20
3. RTP analysis
When we have a voice issue, we could check the following problem with Wireshak:

 Is the RTP stream exist?


 Is the RTP stream send and receive on the right IP address and port?
 Is the RTP stream be decoded in the right codec?
 Is the RTP stream be sent with right ptime?

1) Filter RTP stream


 Use 'rtp' as the expression to filter RTP packets.
 On the sip call flow graph, we can check RTP direction and codec.
 Use the menu 'Telephony > RTP > RTP Streams'.

We can see all the RTP streams display and we can see some information of these RTP
streams, like source port and dest port, SSRC, payload, max delta, lost percentage of the
packets and jitter.
But how could we know which stream is the one we want to check?

 On the SIP call flow graph, we can see the source and dest port of one RTP stream
 The media line of the SDP message in INVITE or 200OK sip messages

2) Decode UDP packets to RTP


As we know RTP usually uses UDP transport, when the sip call flow in the PCAP file is
incomplete the Wireshark may not parse the UDP packets to RTP streams. we can decode the
UDP packets to RTP manually.
3) Play RTP stream
For now, Wireshark only supports playing pcmu and pcma codec.

 Select and Play Stream in the call list

 Play one RTP stream, in the RTP Streams list, Analyze > Play Streams
We can see the RTP player after click the Play Streams button.

About how to get PCAP file you can refer to the link: How to Get PCAP Dump Capture

You might also like