This wiki has been migrated to https://gitlab.com/wireshark/wireshark/-/wikis/home and is now deprecated. Please use that site instead.

VoIP Calls

Lea esta ayuda en espaƱol en http://wiki.wireshark.org/VoIP_calls_spanish

To access the VoIP calls analysis use the menu entry "Telephony->VoIP Calls...". The current VoIP supported protocols are:

with the corresponding RTP streams.

See VOIPProtocolFamily for an overview of the used VoIP protocols.

To try out this dialog, a small capture file containing a VoIP call can be found at SampleCaptures/rtp_example.raw.gz which contains an example H323 call including H225, H245, RTP and RTCP packets.

List VoIP calls

voip_calls_list.jpg

The VoIP calls list shows the following information per call:

Filtering a call

To prepare a filter for a particular call, just select the desired call and press "Prepare Filter" button. This will create a filter in the Main Wireshark windows to filter the packets related to this call. This is specially useful when you want to connect ISUP calls according to some CIC value.

VoIP calls Graph analysis

voip_calls_graph.jpg

To Graph analysis one or multiple calls from the VoIP List, select them from the list and then press the "Graph" button.

The Graph will show the following information:

When clicking a packet in the Graph, the selected frame will be selected in the Main Wireshark window.

Playing VoIP calls

Wireshark allows you to play any codec supported by an installed plugin. Wireshark allows you to save decoded audio in .au file format. Prior to version 3.2.0, it only supported saving audio using the G.711 codec; from 3.2.0 it supports saving audio using any codec with 8000 Hz sampling.

The codecs supported by Wireshark depend on the version of Wireshark you're using. The official builds contain all of the plugins maintained by the Wireshark developers, but custom/distribution builds might not include some of those codecs. To check your Wireshark follow this procedure:

plugins_codecs.png

To play the RTP audio stream of one or multiple calls from the VoIP List, select them from the list and then press the "Player" button:

voip_calls_play1.jpg

Choose an initial value for the jitter buffer and then press the "Decode button". The jitter buffer emulated by Wireshark is a fixed size jitter buffer and can efficiently be used to reproduce what clients can effectively hear during the VoIP call.

You can now see all RTP streams available for the calls that you selected:

voip_calls_play2.jpg

Note that all RTP packets that are dropped because of the jitter buffer are reported ("Drop by Jitter Buff"), as well as the packets that are out of sequence (Out of Seq).

Pressing the "Play" button plays the RTP stream from within Wireshark. A progress bar indicates the position in the stream and is synchronized amongst all RTP streams that are played.

Discussion

The file rtp_example.raw.gz didn't worked for me, you may try to play this capture file VoIP call instead: SampleCaptures/SIP_CALL_RTP_G711

I have some videos on how to analyze VoIP calls using Wireshark.

VoIP_calls (last edited 2019-12-27 21:22:42 by GuyHarris)