How to get a Wireshark VoIP packet capture

To see what is going across your network, you can use packet sniffing tool Wireshark to detect VoIP traffic. Learn to sniff your network in this tip.

Unified communications (UC) blurs the line that used to clearly delineate voice communications from data communications....

In the not too distant past, Signaling System 7 (SS7) communication resided within one domain, while IP communication resided in another, each maintaining a separate but equal status in terms of importance and utilization. At present, both voice and data communications are increasingly traversing the same network infrastructure, and with this development has arisen the need to better understand what exactly is coming across the wire. Perhaps one of the more effective methods at obtaining such understanding is the utilization of the Wireshark packet capture tool.

Wireshark VoIP sniffing

One of the advantages of Voice over Internet Protocol (VoIP ) is that network engineers can easily sniff voice traffic using Wireshark. In fact, many of the more recent versions of Wireshark have entire sections of their software devoted to VoIP traffic analysis. VoIP call packets can be captured under the Telephony dropdown on the main Wireshark capture page:

An effective way of capturing traffic in a LAN is to install Wireshark on the main VoIP server. If you are using an Asterisk Session Initiation Protocol (SIP) server, you may want a Gnome or KDE desktop installed to make it easier to use. Linux purists may balk at the concept of installing a graphical user interface on their respective systems, and may prefer to use the command-line version of Wireshark: TShark. However, TShark will not have the rich assortment of graphs and other analytic tools available within Wireshark that may be valuable to you.

After Wireshark is installed on the VoIP server, open it and select the interfaces that the capture will occur on. Select the Start button, and captured packets should begin flying across the screen.

Make sure that a minimum of two end devices are registered with the SIP server, and place a call from one end device to another. Examples of SIP-enabled end devices include VoIP handheld phones, video teleconferencing devices and SIP-enabled softphones installed on workstation desktops.

More on Wireshark VoIP sniffing

Learn to block sniffers from catching SIP and VoIP traffic

View this Wireshark tutorial on sniffing network traffic

After enough packets have been captured to create a sufficient Wireshark VoIP sample size, end the call, then stop the capture. Keep in mind that what is considered a "sufficient" sample size is entirely subjective, and it will vary from network to network. However, in a simple scenario where only two phones and a server are involved, feel free to stop the capture after 10 to 15 seconds of phone conversation. This should easily result in a capture size of 4,000 to 5,000 packets.

Once you successfully complete your Wireshark VoIP packet capture, you'll want to make sure you parse the data correctly. In the second part of this tip, learn how to filter your Wireshark packet capture for a more accurate picture of your VoIP traffic.

Dig Deeper on VoIP QoS and Performance