When we face a problem like a call failed or no audio in SIP, usually we need to get the PCAP dump file and check the packets. This article is about how to use Wireshark to analyze SIP calls.
Also, we have a video: How to Analyze SIP Calls in Wireshark (Video)
1. Filter Expression of Wireshark
PCAP dump file contains all the protocols travel the network card, Wireshark has expressions to filter the packets so that can display the particular messages for the particular protocol. There is some common string list below:
|sip||filter SIP Protocol|
|rtp||filter RTP stream|
|rtcp||filter RTCP packets|
|rtpevent||filter DTMF packets|
|ip.addr||use IP address to filter packets, e.g. ip.addr==192.168.5.150 or ip.addr!=192.168.5.150|
|udp.srcport||filter packets depend on the UDP source port, e.g. udp.srcport==10000|
|udp.dstport||filter packets depend on the UDP destination port, e.g. udp.destport==20000 or udp.srcport==10000 || udp.destport==20000|
|dns||filter DNS protocol|
wireshark have plenty of filters for sip protocol
most common use is sip.Method and sip.Call-ID.
use sip method to filter sip messages: sip.Method == INVITE
use call-id to filter one particular sip call: sip.Call-ID==20badbbf750c497a80d63ebb8a74a213
We can also filter with some special parameter in the packet through the option 'Prepare a Filter', select the parameter you want and click right click then you can see the menu display.
See more details about how to use Wireshark, please click Wireshark Wiki.
2. SIP Call analysis
1) List SIP calls
Use the menu entry 'Telephony > VOIP Calls', then you can see the SIP call list.
We can see the information below:
- The Start Time and Stop Time of each call.
- Initial Speaker is the IP Address of Caller.
- Caller ID and Callee ID in the From and To URI.
Select the calls you want to check, then we can see the invalid option Flow Sequence become available. Click the Flow Sequence button we can see the graph of this call with some details:
- SIP signaling flow between different UA.
- Direction, source and dest port of RTP stream.
- Codec of the RTP stream.
2) Filter one SIP call
In SIP protocol, we can use call-id, from-tag, to-tag to identify a call. Usually, SIP entity will generate the random call-id string for each call, so we can mark one sip call with the call-id parameter.
See the following figure about the SIP call filtered by Call-ID.
3) SIP headers
Enable display raw for SIP message so that we don't need to expand every sip header or SDP parameters.
There are two parts in the sip INVITE request, SIP headers, and SDP.
Just list some import sip headers here:
- From: Caller URI
- To: destination of the call
- Contact: the address for the subsequent request
Also some import parameters in SDP:
- media line: m=audio 4000 RTP/AVP 123 8 0 101
- media direction: a=sendrecv
- codec: a=rtpmap:123 opus/48000/2
- ptime: a=ptime:20
3. RTP analysis
When we have a voice issue, we could check the following problem with Wireshak:
- Is the RTP stream exist?
- Is the RTP stream send and receive on the right IP address and port?
- Is the RTP stream be decoded in the right codec?
- Is the RTP stream be sent with right ptime?
1) Filter RTP stream
- Use 'rtp' as the expression to filter RTP packets.
- On the sip call flow graph, we can check RTP direction and codec.
- Use the menu 'Telephony > RTP > RTP Streams'.
We can see all the RTP streams display and we can see some information of these RTP streams, like source port and dest port, SSRC, payload, max delta, lost percentage of the packets and jitter.
But how could we know which stream is the one we want to check?
- On the SIP call flow graph, we can see the source and dest port of one RTP stream
- The media line of the SDP message in INVITE or 200OK sip messages
2) Decode UDP packets to RTP
As we know RTP usually uses UDP transport, when the sip call flow in the PCAP file is incomplete the Wireshark may not parse the UDP packets to RTP streams. we can decode the UDP packets to RTP manually.
3) Play RTP stream
For now, Wireshark only supports playing pcmu and pcma codec.
- Select and Play Stream in the call list
- Play one RTP stream, in the RTP Streams list, Analyze > Play Streams
We can see the RTP player after click the Play Streams button.
About how to get PCAP file you can refer to the link: How to Get PCAP Dump Capture
And if you would like to output the RTP steams as WAV for further analysis, you can refer this article: How to Output the SIP Call Audio for Wireshark Capture File
Just a comment on the above article. In Wireshark you do not need to decode the UDP to RTP packets, there is an easier way. In older releases of Wireshark make sure The three fields under RTP is checked. Newer releases of Wireshark has this check marked by default. This allows Wireshark to automatically decode UDP packets to RTP where applicable. In Wireshark go to "Analyse" tab, then "Enabled Protocols", then search for RTP.
Great info. Very helpful, although I wanted to point out that your call ID filter syntax is incorrect. It should be sip.Call-ID == "email@example.com"