Ask Your Question

Capturing handshake between a SIP handset & PBX

asked 2021-02-05 14:36:48 +0000


First of all apologies for the basic question.

I'm trying to capture the handshake packets when a SIP handset registers with a PABX & i'm struggling.

I enter the PBX details inc usernames, passwords, etc into the SIP handset. Then i unplug the handset & start the Wireshark then plug it back in.

Once the handset has booted back up I stop the trace & use the display filter to look at the ip address of the PBX to hopefully find the acknowledgement between the PBX & SIP handset but nothing appears. The PBX confirms the handset is registered.

Any idea's?

Thanks. Lee.

edit retag flag offensive close merge delete


You'll need to describe your capture set up. What is the network relationship between the PBX, the handset and the host on which you're performing the Wireshark capture?

grahamb gravatar imagegrahamb ( 2021-02-05 15:08:37 +0000 )edit

So the PBX, SIP handset & PC are all on the same subnet.

Does this answer your question?

Thanks. Lee.

Lee Wolstencroft gravatar imageLee Wolstencroft ( 2021-02-05 15:40:55 +0000 )edit

Not really, how are they connected, presumably there's some sort of switch involved?

grahamb gravatar imagegrahamb ( 2021-02-05 16:00:29 +0000 )edit

Okay sorry, so the PBX is connected to a Netgear GS728TP switch. This switch is connected to a Zyxel 8 port switch where my SIP device & PC is connected to.

Lee Wolstencroft gravatar imageLee Wolstencroft ( 2021-02-05 16:04:38 +0000 )edit

Have you considered your capture setup?

Jaap gravatar imageJaap ( 2021-02-05 16:33:10 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2021-02-05 17:22:13 +0000

grahamb gravatar image

You have a switched network and as it stands Wireshark on your PC will not see the traffic between the PBX and the handset.

The link @Jaap posted details some methods on how to capture in a switched network.

edit flag offensive delete link more


Great thanks. I'll take a look.

Lee Wolstencroft gravatar imageLee Wolstencroft ( 2021-02-05 17:30:55 +0000 )edit

So just to be more specific in my set-up:

Netgear GS728TP Managed Switch - PBX Connected to Port 8 Netgear GS728TP Managed Switch Port 9 -> Connected to the Zyxel Switch Port 1

SIP handset connected to the Zyxel switch in port 2 Laptop running Wireshark connected to the Zyxel switch in port 3

So which port(s) do i need to be mirroring & which would be the probe?

Thanks. Lee.

Lee Wolstencroft gravatar imageLee Wolstencroft ( 2021-02-05 19:32:01 +0000 )edit

If the Zyxel switch can mirror ports you should mirror port 2, the handset, to port 3, the laptop with the capture software.

grahamb gravatar imagegrahamb ( 2021-02-05 20:01:45 +0000 )edit

Thanks, so on the Zyxel it does have the option to mirror ports.

So, this is what I have set & still not getting anything which shows the IP handset communicating with the PBX which is plugged into port 8 of the Netgear switch.

Zyxel Mirror Port settings: Monitor port -> Port 2 (SIP Handset Port) Egress Acting Port -> 3 (PC) Ingress Acting Port -> 3 (PC)

Lee Wolstencroft gravatar imageLee Wolstencroft ( 2021-02-07 16:30:14 +0000 )edit

Unfortunately I have no experience whatsoever on Zyxel devices so can't offer any advice on that aspect.

I'm assuming that your are capturing on the correct interface (the one connected to the Zyxel) and have promiscuous mode turned on, it's on by default (Wireshark menu -> Capture -> Capture Options).

grahamb gravatar imagegrahamb ( 2021-02-07 16:51:29 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-02-05 14:36:48 +0000

Seen: 389 times

Last updated: Feb 05 '21