Protocol dependencies
SIP is commonly uses as its transport UDP (default port 5060), TCP (default port 5060) or TLS (default TCP port 5061). SIP signalling may also be compressed and delivered by Sigcomp
SIP is commonly used to establish media sessions, e.g. RTP/RTCP streams carrying audio or video data, where session details are commonly negociated using SDP offers/answers
- PINTs and SPIRITS - Service interworking
Number resolution - TRIP and ENUM (IETF Charter for ENUM)
Seamless signaling - SIGTRAN and SIP-T
- IMPP - Instant Messaging and Presence
SIMPLE - SIP for Instant Messaging and Presence Leveraging Extensions IETF Charter for SIMPLE
Example traffic
Wireshark
The SIP dissector is fully functional. You can also view SIP message statistics (Statistics | SIP...) or view SIP call flow graphs (Statistics | VoIP Calls)
Preference Settings
- Display raw text for SIP message. Default OFF
- Enforce strict SIP version check (SIP/2.0). Default ON
- Reassemble SIP headers spanning multiple TCP segments. Default ON
- Reassemble SIP bodies spanning multiple TCP segments. Default ON
Example capture file
SampleCaptures/aaa.pcap Sample SIP and RTP traffic.
Display Filter
A complete list of SIP display filter fields can be found in the display filter reference
Capture Filter
You cannot directly filter SIP protocols while capturing. However, if you know the
UDPor
TCPor port used (see above), you can filter on that one.