How to get a Wireshark VoIP packet capture

Unified communications (UC) blurs the line that used to clearly delineate voice communications from data communications. In the not too distant past, Signaling System 7 (SS7

    Requires Free Membership to View

) communication resided within one domain, while IP communication resided in another, each maintaining a separate but equal status in terms of importance and utilization. At present, both voice and data communications are increasingly traversing the same network infrastructure, and with this development has arisen the need to better understand what exactly is coming across the wire. Perhaps one of the more effective methods at obtaining such understanding is the utilization of the Wireshark packet capture tool.

Wireshark VoIP sniffing

One of the advantages of Voice over Internet Protocol (VoIP ) is that network engineers can easily sniff voice traffic using Wireshark. In fact, many of the more recent versions of Wireshark have entire sections of their software devoted to VoIP traffic analysis. VoIP call packets can be captured under the Telephony dropdown on the main Wireshark capture page:

An effective way of capturing traffic in a LAN is to install Wireshark on the main VoIP server. If you are using an Asterisk Session Initiation Protocol (SIP) server, you may want a GNOME or KDE desktop installed to make it easier to use. Linux purists may balk at the concept of installing a graphical user interface on their respective systems, and may prefer to use the command-line version of Wireshark: TShark. However, TShark will not have the rich assortment of graphs and other analytic tools available within Wireshark that may be valuable to you.

After Wireshark is installed on the VoIP server, open it and select the interfaces that the capture will occur on. Select the Start button, and captured packets should begin flying across the screen.

Make sure that a minimum of two end devices are registered with the SIP server, and place a call from one end device to another. Examples of SIP-enabled end devices include VoIP handheld phones, video teleconferencing devices and SIP-enabled softphones installed on workstation desktops.

More on Wireshark VoIP sniffing

Learn to block sniffers from catching SIP and VoIP traffic

View this Wireshark tutorial on sniffing network traffic

After enough packets have been captured to create a sufficient Wireshark VoIP sample size, end the call, then stop the capture. Keep in mind that what is considered a "sufficient" sample size is entirely subjective, and it will vary from network to network. However, in a simple scenario where only two phones and a server are involved, feel free to stop the capture after 10 to 15 seconds of phone conversation. This should easily result in a capture size of 4,000 to 5,000 packets.

Once you successfully complete your Wireshark VoIP packet capture, you'll want to make sure you parse the data correctly. In the second part of this tip, learn how to filter your Wireshark packet capture for a more accurate picture of your VoIP traffic.

This was first published in July 2013

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.