How to Analyze VoIP SIP Calls in Wireshark

Analyzing SIP packets is one of the most common ways to troubleshoot VoIP issues in the network or systems. Wireshark is a very helpful tool when it comes to analyzing VoIP SIP calls. Therefore, it is good to be able to monitor the VoIP traffic and capture the SIP packets. Wireshark provides the possibility to detect the VoIP calls in a trace and analyze them accordingly.

In order to detect the VoIP calls in a Wireshark trace, you need to select from the top menu: Telephony –> VoIP Calls. Then a new window appears which lists all the calls that were found in the trace, and information regarding the start/end time, From/To headers, etc. Select a call from the list, and press “Flow“. Then you can see the call flow in a graphical environment. If you are interested to check the content of a particular message, you can click on that message in the flow and you will be able to see it in the main window.

If the trace contains RTP packets, then you are able to see the RTP streams in the flow as well. In order to check the RTP packets, you can select them in the flow and view them in the main window. Moreover, if you would like to listen the RTP streams (for example to check the voice quality), you can click on the “Player” button in the window with the VoIP calls and the decoded RTP streams will appear. Further information about analyzing RTP streams in Wireshark will be provided  in a different post.

Note: You can identify specific calls in Wireshark based on their Call-ID header which is unique for each call. This is helpful especially when a trace contains a lot of calls, and you need to keep track of them.

You have always the possibility to filter on different values in Wireshark in order to identify the packets/calls of your interest. In order to do that, click on the button “Filter:“, and then in the new window, click on “Expression…“. There you can find and expand the SIP protocol and choose the value/header to filter on.

This post described some basics of using Wireshark for analyzing VoIP calls. Later posts will focus deeper into analyzing and troubleshooting SIP and RTP packets.

Related articles


About TelcoNotes

IP & VoIP networking

Posted on June 8, 2013, in VoIP and tagged , , , . Bookmark the permalink. Leave a comment.

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: