VoIP Captures

VoIP calls, using the network protocols SIP/SDP and RTP, are the de-facto standard when it comes to voice calls. Wireshark offers some special features to analyze those calls and RTP streams – even with a nice “Play Streams” option, which discretely decodes your calls. Ouch. Again and again, frightening which privacy-related protocols are completely unencrypted on the Internet!

Here are some hints for Wireshark as well as a downloadable pcap with three calls in there. ;) Have fun!

I won’t explain any SIP/SDP/RTP details here. There is much information out there already. I basically want to share a pcap to play with, along with some Wireshark screenshots.

Download the pcap, 7zipped, 473 KB:

Open it with Wireshark and go to Telephony -> VoIP Calls to get this overview:

You can either have a look at the Flow Sequence:

Or you hit the “Play Streams” button to actually listen to the calls in the RTP Player. Wuh:

I have three VoIP calls in the pcap. Two g711A streams and one HD stream with g722.

Challenge: Who called me? ;D Answer in the comment section!

Another way to have a look at the RTP details is to open Telephony -> RTP -> RTP Streams, click the stream of interest, followed by “Find Reverse” and then Analyze:

This gives you details about the jitter, losses, etc.:

Of course, the great Wireshark dissectors work for all protocol details as well, e.g., the SIP packet details:

Was ist der größte Vorteil von Voice-over-IP? — Man bekommt keine nervigen Anrufe mehr, wenn das Netz mal ausfällt.

Featured image “Tischfernsprecher W48” by Felix Winkelnkemper is licensed under CC BY 2.0.

4 thoughts on “VoIP Captures

  1. Hi Johannes, this is a great example. I was wondering why there is no RTCP communication in the capture?

  2. Hi Johannes,
    thanks for the public provided Wireshark VoIP capture.
    We did use it as example for our Stacked Brains VoIP Analyzer Tool to show the way our tool converts any VoIP Wireshark capture to nicely formatted HTML pages.
    You can find your processed example at https://www.voipanalyzertool.com
    under the “output” section.

    Our tool is able to merge hundreds of Wireshark captures to one single Wireshark capture, filter intelligent, audit Wireshark VoIP captures and as last, convert any Wireshark (VoIP) capture to an anonymous Wireshark capture (obfuscate) where SIP names, SIP call numbers and/or IP addresses are re-written.

    Thanks once more for the public available Wireshark VoIP capture.
    It was useful for us.
    The Stacked Brains Team

Leave a Reply

Your email address will not be published. Required fields are marked *