This is our old Q&A Site. Please post any new questions and answers at

I've used Wire Shark many of times, but for some reason when capturing a VOIP call that I know is using SIP as it's protocol, I don't see the call in the Telephony VOIP calls tab. Nor do I see the SIP protocol detected. Am I missing a setting?

asked 13 Jul '15, 08:09

Kenny70's gravatar image

accept rate: 0%

I think I've cleaned up the mess of comments posted as "answers" here, although IMHO the actual answer to the question as posted is that by @Amato_C regarding the filter. The question marked as answered is a follow-up about the encoding of the rtp when it has been found.

(14 Jul '15, 03:04) grahamb ♦

Looking at the capture, the audio is encoded using G.729 CODEC. Refer to the following Wireshark Wiki:

permanent link

answered 13 Jul '15, 12:09

Amato_C's gravatar image

accept rate: 14%

Amato, I read through the Wiki link. Completed all of the steps. The decoder gives an error opening the raw file. alt text

(13 Jul '15, 12:53) Kenny70

Strange. I was able to convert to PCM and then to AU. I uploaded the RAW file I used to convert to PCM on Google drive:

Download this RAW file and try to convert to PCM using the codec. We can then determine if it is the RAW file or the codec you downloaded.

(13 Jul '15, 13:15) Amato_C

Amato, I downloaded the test.raw file. Get the same error.

alt text

(13 Jul '15, 13:24) Kenny70

I used the recommended decoder as specified on the wiki link.

(13 Jul '15, 13:26) Kenny70

Are the RAW files located in the same directory as the cp_g729_decoder.exe file?

(13 Jul '15, 13:30) Amato_C

Amato, the raw file has to be in the same directory. YOU ARE THE MAN!!! Thanks for the help.

(13 Jul '15, 13:36) Kenny70

I had to create 2 audio files - one for each direction. In Wireshark, after performing the "Telephony -> RTP -> Show All Streams", you should see 2 IP address. I had to save the RAW files for each IP address (stream) and perform the procedure on each RAW file. In the end, I was able to hear the entire conversation.

(13 Jul '15, 13:44) Amato_C

Amato, Yep, I got that all figured out. Thanks again for all of your help.

(13 Jul '15, 13:48) Kenny70

Glad to hear it. Could you please accept my answer (click on the check mark)? This will help others in the future to find the answer.

(13 Jul '15, 13:51) Amato_C
showing 5 of 9 show 4 more comments

The settings for SIP are in the preferences setting for the SIP protocol: go to menu Edit->Preferences->Protocol->SIP.

By default it decodes SIP in UDP and TCP ports 5060, and SIP/TLS in 5061; but it also has a heuristic decoder that tries to decode SIP in other transport ports, which should detect SIP unless another protocol decodes it successfully first. Obviously if you're running SIP over TLS, Wireshark won't be able to decode it without the keys, and it won't show up in the telephony calls.

If the above doesn't help, then please post your capture somewhere and provide the link here, if you can.

permanent link

answered 13 Jul '15, 09:21

Hadriel's gravatar image

accept rate: 18%

I understand the default decodes. Just not sure why these calls don't appear. Attached is the link to the test call.

(13 Jul '15, 10:51) Kenny70

Probably because it's as I said: "Obviously if you're running SIP over TLS, Wireshark won't be able to decode it without the keys, and it won't show up in the telephony calls."

Your capture has SIP over TLS. (TCP port 5061)

(13 Jul '15, 12:31) Hadriel

Using the procedure in the Wiki (see link in my below response) I was able to successfully decode and listen to the voice message. I know that @Kenny70 called Tammy and referenced this Wireshark forum. Either I am a magician or I was successful. :)

(13 Jul '15, 12:56) Amato_C

I'm not sure if that's a response to my comment, but if so: the procedures in the wiki are not what was originally asked in the question. The question asked why "I don't see the call in the Telephony VOIP calls tab. Nor do I see the SIP protocol detected".

The answer to that question is: because the capture has SIP/TLS, as I said. What your wiki answer is about, is taking the RTP content and the audio in that out of the capture. That's a horse of a different color, and not what the actual question asked. (I realize now that it might be what the asker was looking for, but I am not a magician and can't read people's minds ;)

(14 Jul '15, 09:48) Hadriel

@Hadriel - I apologize for my rude comment. Sorry

(14 Jul '15, 10:13) Amato_C

Oh I didn't think it was rude - made me chuckle actually. :) I just wasn't sure if it was in response to my comment or something else. No worries.

(14 Jul '15, 10:25) Hadriel
showing 5 of 6 show 1 more comments

Try this display filter:

tcp.port==5060 || tcp.port == 5061 || rtp

permanent link

answered 13 Jul '15, 11:44

Amato_C's gravatar image

accept rate: 14%

Amato. I tried that display filter. It does display RTP. I viewed the RTP streams in the Telephony tab. I save the streams as Raw and use Audacity to decode and play the RTP. I just hear a second of static. I tried this for almost all of the RTP streams.

(13 Jul '15, 11:53) Kenny70
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 13 Jul '15, 08:09

question was seen: 10,764 times

last updated: 14 Jul '15, 10:25

p​o​w​e​r​e​d by O​S​Q​A