This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

VOIP Capturing

0

Hi I'm trying to setup VOIP capture, and I'm not seeing any results.

Installed Wireshark, setup the interface, I have 2 nics, one is Internet based, with only the protocols used for internet. File/Print and Client for Microsoft turned off. This is the interface for capturing. The second nic is used for the local area connection, and has no access to the internet. From this point I started the capture, using promiscuous mode. No filters were setup, as I want to see all the PC's running VOIP (5 pc's). Running the analysis for a least an hour, I then tried to view the VOIP packets, but there are none, and i have people on VOIP phones as I type this message. All the phones whether they are hardphones/softphones, there all plugged into a switch. The scanning interface is plugged into the router. I also tried scanning from an interface plugged into the switch. VOIP is running on a outside hosted pbx

any thoughts, what am i doing wrong. thx

asked 29 Jan '15, 13:59

Terra's gravatar image

Terra
6112
accept rate: 0%

I'm not sure I totally understand the network topology and how you're trying to get the packets here. You say you have five PCs connected to a switch, and that the "scanning interface", in contrast, is connected to an upstream router which can also route to the external PBX acting as a softswitch - In that scenario, how are you having the router forward the VoIP traffic to the PC you're running Wireshark on?

Is this the topology?:

[PBX and Internet]

|

[router] -- [PC with Wireshark]

|

[switch]

|

[5 PCs]

Also, do you see any traffic at all, aside from just not seeing the VoIP traffic? I'm assuming from the tags this is a SIP/RTP network we're talking about?

(29 Jan '15, 15:13) Quadratic

Hi

Topology [PBX] outside provider...no access to PBX

Internet[Cable Modem][Router][PC w/Wireshark]

[switch] 5 PC's running VOIP softphone - 5 PC's non VOIP - 3 Hardphones (VOIP)[PC w/Wireshark also, for testing].

It is a SIP/RTP network. I ss all kinds of traffic TCP/UDP/ICMP/ARP...etc.

I'm running Wireshark from the PC connected to the router, in promiscuous mode.

(30 Jan '15, 10:03) Terra

One Answer:

0

You need to ensure that the packets you want to receive are making it to your PC (which is not accomplished just by running in promiscuous mode). From your topology diagram, your PC is connected to an upstream router, and isn't in the same LAN as the PCs whose traffic you are trying to intercept. So, if you're routing packets between the PC LAN and the Internet, the IP router is not normally going to duplicate that traffic and send it also to your Wireshark-running PC.

I suggest you either limit your Wireshark trace to one of the softphone PCs that is in the line-of-path of the VoIP traffic, or you get a switch that can support port mirroring (or "SPAN"), to have the VoIP-related traffic mirrored to the port you're running Wireshark on.

Now, for the PC running a soft phone, do you see the SIP/RTP traffic when running Wireshark on this PC? Can you confirm what port/transport protocol you're using for SIP, and whether you are having these decoded as SIP (check this under Edit > Preferences > Protocols > SIP and make sure the port info is correct for your implementation)?

As for the "all kinds of traffic" issue on the PC with the softphone, have you tried just typing "sip" in the search bar and filtering on that to see if you do indeed have any SIP packets showing up there?

answered 30 Jan '15, 15:11

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

edited 30 Jan '15, 15:13

Not an issue, as I ran Wireshark on the target PC." All pc's are on the same lan/subnet Switch is a non managed switch...no port mirroring possible. I did try searching for SIP

It's all moot now.

Thx!

(31 Jan '15, 15:20) Terra