I sniff the traffic between client machines sip but I click on player decode and then I get no result I do not know where is the problem. knowing that I use sip client installed on a virtual machine and another on the physical machine and the attacker uses a machine back track 4 r1. any one cab help me ! asked 13 Feb '14, 13:32  rasdab |
One Answer:
It should be reasonable straight forward provided you have captured all the necessary packets. Basically you should confirm that you have at least two packets that show up in Wireshark as SIP/SDP. These will be the Invite Request from the Caller IP and the "OK" Status from the Called IP. They will both have SDP message bodies that contain the Media Description that has Media Port, which is the UDP port used for the RTP traffic. Wireshark will then look for UDP packets matching these, and decode them as RTP. This is for unencrypted SIP over UDP. If you are using encrypted SIP over TLS you would need to provide Wireshark with the appropriate private key to do the decrypt first (I haven't actually looked at SIP over TLS but that's the theory) answered 13 Feb '14, 16:08  martyvis |
i have 7 sip/sdp but when i clic on "telephony" after "voip calls" "player" and decode i have now result empty "graph"
You probably need to provide more details of the capture (maybe upload to Cloudshark if it is non-sensitive such as phone numbers of the conversation contants). According to the snapshot of your graph, all of your RTP packets (100%) are out of sequence. Also you seem to be showing the voice graph for a time outside the Duration (15.37 and 7.4 secs). Maybe also just confirm for yourself that the samples at http://wiki.wireshark.org/SampleCaptures#SIP_and_RTP work in your setup (playback properly)