Tips on capturing a SIP/RTP call using wireshark. 
Tuesday, December 18, 2007, 07:46 AM - Asterisk
door Blog beheerder
I have created a full course on the below which you can take at


It is possible to capture a SIP/RTP call directly from the "wire" (Ethernet). This is the easiest to do when you have root access on the machine running Asterisk but can also be done using a softphone on a PC.

The program you need is called WireShark which is the successor of Ethereal.

Simply install it and start a capture. Place a call or wait for a call to take place.
Using the "Analyse" menu you can scan your capture(s) for SIP information (number and type of SIP messages and even isolate complete SIP dialogs).

Using the RTP option you can reassemble the complete call and even save the audio (payload) as a file to disk. Note that this only works reliably if you have at least the START of the call in your capture. You might need to tell WireShark explicitly that some UDP packets are in fact RTP as RTP does not use a specific port number, which may confuse WireShark.

Specifically of interest are of course any problems that WireShark detects like packets that are out of order, dropped (lost) packets or very long delta's (which cause gaps in the audio).

Note that if you save the payload many of this problems will be "corrected" and the audio may be much cleaner than was experienced during the actual call.

It is not possible on a switched Ethernet network to capture calls from "other people" unless you have control over a managed Ethernet switch (that is in the circuit) or have root access to the VoIP PBX (Asterisk) itself.

If you do not have a graphical environment on the server running the VoIP PBX you can still capture the VoIP traffic using "tcpdump -s0 -wfilename.pcap udp" (and probably some more options for the proper interface to use and so on). You can then transfer the "filename.pcap" file to a workstation that has WireShark installed to do the analysis.

Scanning large capture files is very memory and CPU intensive. It is most definitely NOT a good idea to do this on a "live" (operational) VoIP PBX directly. Running the tcpdump program is fairly light but can consume lots of disk space very quickly.

bericht bekijken ( 1741 keer bekeken )   |  permalink   |  bijpassende link

<< <Terug | 1 | 2 | 3 | 4 | 5 | Volgende> >>