Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2025-12-02 11:56:13 +0000

gielo gravatar image

Just before we start, just change the configuration on Wireshark if not done already: In Wireshark go to "Analyze" tab From drop down select "Enabled protocols" in search field type rtp Make sure all check boxes under rtp is selected then select OK button

This will automatically decode UDP to RTP and RTCP

NOTE: every time you update the Wireshark version, you need to do the above!!!

Just note that when using VOIP traffic, the signaling path and the speech path might not be the same. When using SIP the signaling setup will involve the communication server/Session Border Controller. Once the signaling path is established between two phones the speech path will flow directly between the two phones, except if a "pin-up" session is configured on the communication server. This will cause a "hairpin" connection where the speech path is pinned up through the communication server.

For SIP signaling there are mainly two tcp ports involved: For Unencrypted signaling, port 5060 is used by default For Encrypted signaling, port 5061 is used by default The two protocols used for signaling is sip and sdp (Session Initiation Protocol, and Session Description Protocol) Signaling can happen is two ways: Early offer (where call initiator advertise what his capabilities are) Delayed offer where call initiator waits for remote side to advertise what his capabilities are. To all sip signaling the best filter to use is: udp.port==5060 SIP calls can be seen under the Telephony TAB then VOIP calls

From a speech perspective there are usually two packets involved: RTP and RTCP RTP carries the speech packets and RTCP reports on the statistics of the RTP packet performance Between two phones are are two RTP streams, each uniquely identified by a SSRC (Synchronization Source) Filter that can be used in Wireshark is: rtp.ssrc== 0x12345 (Where 0x1234 is the unique value of that stream - this just example) To look at telephony conversations Telephony TAB the RTP from drop down and then RTP streams.

All G.711A, G.711U and G.729 calls can be played back if not encrypted. Teams calls cannot be played back as it is encrypted by default

Hope this helps