Wiki -VoIP Topics

Sniffer


 

 

Protocol dependencies


  • SIP is commonly uses as its transport UDP (default port 5060), TCP (default port 5060) or TLS (default TCP port 5061). SIP signalling may also be compressed and delivered by Sigcomp



  • SIP is commonly used to establish media sessions, e.g. RTP/RTCP streams carrying audio or video data, where session details are commonly negociated using SDP offers/answers


  • PINTs and SPIRITS - Service interworking


  • Number resolution - TRIP and ENUM (IETF Charter for ENUM)



  • Seamless signaling - SIGTRAN and SIP-T


  • IMPP - Instant Messaging and Presence


  • SIMPLE - SIP for Instant Messaging and Presence Leveraging Extensions IETF Charter for SIMPLE


 

Example traffic

SIP.jpg

 

Wireshark

The SIP dissector is fully functional. You can also view SIP message statistics (Statistics | SIP...) or view SIP call flow graphs (Statistics | VoIP Calls)

 

Preference Settings

  • Display raw text for SIP message. Default OFF

  • Enforce strict SIP version check (SIP/2.0). Default ON

  • Reassemble SIP headers spanning multiple TCP segments. Default ON

  • Reassemble SIP bodies spanning multiple TCP segments. Default ON

 

Example capture file

SampleCaptures/aaa.pcap Sample SIP and RTP traffic.

 

Display Filter

A complete list of SIP display filter fields can be found in the display filter reference

  • Show only the SIP based traffic:

     sip 

 

Capture Filter

You cannot directly filter SIP protocols while capturing. However, if you know the

UDP

or

TCP

or port used (see above), you can filter on that one.