How To Analyze SIP Calls in Wireshark
How To Analyze SIP Calls in Wireshark
How To Analyze SIP Calls in Wireshark
Eric Jiang
Thursday at 07:59
Follow
When we face a problem like a call failed or no audio in SIP, usually we need to get the PCAP
dump file and check the packets. This article is about how to use Wireshark to analyze SIP calls.
Filter Description
udp.srcport filter packets depend on the UDP source port, e.g. udp.srcport==10000
filter packets depend on the UDP destination port, e.g. udp.destport==20000 or udp.srcport=
udp.dstport
|| udp.destport==20000
We can also filter with some special parameter in the packet through the option 'Prepare a Filter',
select the parameter you want and click right click then you can see the menu display.
See more details about how to use Wireshark, please click Wireshark Wiki.
Select the calls you want to check, then we can see the invalid option Flow Sequence become
available. Click the Flow Sequence button we can see the graph of this call with some details:
See the following figure about the SIP call filtered by Call-ID.
3) SIP headers
Enable display raw for SIP message so that we don't need to expand every sip header or SDP
parameters.
There are two parts in the sip INVITE request, SIP headers, and SDP.
We can see all the RTP streams display and we can see some information of these RTP
streams, like source port and dest port, SSRC, payload, max delta, lost percentage of the
packets and jitter.
But how could we know which stream is the one we want to check?
On the SIP call flow graph, we can see the source and dest port of one RTP stream
The media line of the SDP message in INVITE or 200OK sip messages
Play one RTP stream, in the RTP Streams list, Analyze > Play Streams
We can see the RTP player after click the Play Streams button.
About how to get PCAP file you can refer to the link: How to Get PCAP Dump Capture