Just before we start, just change the configuration on Wireshark if not done already:
In Wireshark go to "Analyze" tab
From drop down select "Enabled protocols"
in search field type rtp
Make sure all check boxes under rtp is selected
then select OK button
This will automatically decode UDP to RTP and RTCP
NOTE: every time you update the Wireshark version, you need to do the above!!!
Just note that when using VOIP traffic, the signaling path and the speech path might not be the same. When using SIP the signaling setup will involve the communication server/Session Border Controller. Once the signaling path is established between two phones the speech path will flow directly between the two phones, except if a "pin-up" session is configured on the communication server. This will cause a "hairpin" connection where the speech path is pinned up through the communication server.
For SIP signaling there are mainly two tcp ports involved:
For Unencrypted signaling, port 5060 is used by default
For Encrypted signaling, port 5061 is used by default
The two protocols used for signaling is sip and sdp (Session Initiation Protocol, and Session Description Protocol)
Signaling can happen is two ways:
Early offer (where call initiator advertise what his capabilities are)
Delayed offer where call initiator waits for remote side to advertise what his capabilities are.
To all sip signaling the best filter to use is: udp.port==5060
SIP calls can be seen under the Telephony TAB then VOIP calls
From a speech perspective there are usually two packets involved:
RTP and RTCP
RTP carries the speech packets and RTCP reports on the statistics of the RTP packet performance
Between two phones are are two RTP streams, each uniquely identified by a SSRC (Synchronization Source)
Filter that can be used in Wireshark is:
rtp.ssrc== 0x12345 (Where 0x1234 is the unique value of that stream - this just example)
To look at telephony conversations
Telephony TAB the RTP from drop down and then RTP streams.
All G.711A, G.711U and G.729 calls can be played back if not encrypted.
Teams calls cannot be played back as it is encrypted by default
Hope this helps
Is your computer connected through the phone? If the answer is yes, you are not gonna see any voice traffic. You need to span the phone port to your computer port and unbind all networking protocols from the NIC you are using to capture.
Read the Wireshark capture setup wiki. Regardless whether your PC is connected via the phone or next to the phone (to another port of the same switch to which the phone is connected), there is always a switch between the phone's own traffic and the PC.
Depending on your phone model, even the phone itself may be able to capture its own traffic into a file, but you actually need to capture at several different points on the path between the phones simultaneously and identify the section of the path where the packets get lost or delayed. The most likely cause is unmanaged or poorly managed QoS in the network where the VoIP packets are not prioritized over other traffic. If there would be only lost packets, it could be a faulty port or cable, but if there are delayed packets, it is definitely a QoS issue.
I would check the path the SIP traffic is going between the phone and the other endpoint (PBX?) and then figure out if there is a device in that path which can do packet traces. Most modern phone do pcap. Also, the HP 5900 series has port mirroring. Thus you could setup a port to mirror the traffic in question and attach your PC there for Wireshark to see something. I think I once read something about a packet capturing capable image for that switch type, but I'd rather go with port mirroring first..