How to Analyze SIP Calls in Wireshark

When we face a problem like a call failed or no audio in SIP, usually we need to get the PCAP dump file and check the packets. This article is about how to use Wireshark to analyze SIP calls.

Also, we have a video: How to Analyze SIP Calls in Wireshark (Video)

1. Filter Expression of Wireshark

PCAP dump file contains all the protocols travel the network card, Wireshark has expressions to filter the packets so that can display the particular messages for the particular protocol. There is some common string list below:

Filter Description
sip filter SIP Protocol
rtp filter RTP stream
rtcp  filter RTCP packets
rtpevent filter DTMF packets
ip.addr use IP address to filter packets, e.g. ip.addr==192.168.5.150 or ip.addr!=192.168.5.150
udp.srcport filter packets depend on the UDP source port, e.g. udp.srcport==10000
udp.dstport filter packets depend on the UDP destination port, e.g. udp.destport==20000 or udp.srcport==10000 || udp.destport==20000
dns  filter DNS protocol

wireshark have plenty of filters for sip protocol

most common use is sip.Method and sip.Call-ID.

use sip method to filter sip messages: sip.Method == INVITE

use call-id to filter one particular sip call: sip.Call-ID==20badbbf750c497a80d63ebb8a74a213

We can also filter with some special parameter in the packet through the option 'Prepare a Filter', select the parameter you want and click right click then you can see the menu display.

See more details about how to use Wireshark, please click Wireshark Wiki.

2. SIP Call analysis 

1) List SIP calls

Use the menu entry 'Telephony > VOIP Calls', then you can see the SIP call list. 

We can see the information below:

  • The Start Time and Stop Time of each call.
  • Initial Speaker is the IP Address of Caller.
  • Caller ID and Callee ID in the From and To URI.

Select the calls you want to check, then we can see the invalid option Flow Sequence become available. Click the Flow Sequence button we can see the graph of this call with some details:

  • SIP signaling flow between different UA.
  • Direction, source and dest port of RTP stream.
  • Codec of the RTP stream.

2) Filter one SIP call

In SIP protocol, we can use call-id, from-tag, to-tag to identify a call. Usually, SIP entity will generate the random call-id string for each call, so we can mark one sip call with the call-id parameter.

See the following figure about the SIP call filtered by Call-ID.

3) SIP headers

Enable display raw for SIP message so that we don't need to expand every sip header or SDP parameters.

There are two parts in the sip INVITE request, SIP headers, and SDP.

Just list some import sip headers here:

  • From: Caller URI
  • To: destination of the call
  • Contact: the address for the subsequent request

Also some import parameters in SDP:

  • media line: m=audio 4000 RTP/AVP 123 8 0 101
  • media direction: a=sendrecv
  • codec: a=rtpmap:123 opus/48000/2
  • ptime: a=ptime:20

3. RTP analysis

 When we have a voice issue, we could check the following problem with Wireshak:

  • Is the RTP stream exist? 
  • Is the RTP stream send and receive on the right IP address and port?
  • Is the RTP stream be decoded in the right codec?
  • Is the RTP stream be sent with right ptime?

1) Filter RTP stream

  • Use 'rtp' as the expression to filter RTP packets.
  • On the sip call flow graph, we can check RTP direction and codec.
  • Use the menu 'Telephony > RTP > RTP Streams'.

We can see all the RTP streams display and we can see some information of these RTP streams, like source port and dest port, SSRC, payload, max delta, lost percentage of the packets and jitter.

But how could we know which stream is the one we want to check?

  • On the SIP call flow graph, we can see the source and dest port of one RTP stream
  • The media line of the SDP message in INVITE or 200OK sip messages

2) Decode UDP packets to RTP

As we know RTP usually uses UDP transport, when the sip call flow in the PCAP file is incomplete the Wireshark may not parse the UDP packets to RTP streams. we can decode the UDP packets to RTP manually.

3) Play RTP stream

For now, Wireshark only supports playing pcmu and pcma codec.

  •  Select and Play Stream in the call list

 

  • Play one RTP stream, in the RTP Streams list, Analyze > Play Streams

We can see the RTP player after click the Play Streams button.

 

About how to get PCAP file you can refer to the link: How to Get PCAP Dump Capture

And if you would like to output the RTP steams as WAV for further analysis, you can refer this article: How to Output the SIP Call Audio for Wireshark Capture File

 

Have more questions? Submit a request

3 Comments

  • 1
    Avatar

    Just a comment on the above article. In Wireshark you do not need to decode the UDP to RTP packets, there is an easier way. In older releases of Wireshark make sure The three fields under RTP is checked. Newer releases of Wireshark has this check marked by default. This allows Wireshark to automatically decode UDP packets to RTP where applicable. In Wireshark go to "Analyse" tab, then "Enabled Protocols", then search for RTP.

     

  • 0
    Avatar

    Great info.  Very helpful, although I wanted to point out that your call ID filter syntax is incorrect.  It should be sip.Call-ID == "107912273315420209548@192.168.1.1"

  • 0
    Avatar

    very helpful guide, and hope wireshark could provide the volte call flow like the below demo:

Please sign in to leave a comment.