I've used Wire Shark many of times, but for some reason when capturing a VOIP call that I know is using SIP as it's protocol, I don't see the call in the Telephony VOIP calls tab. Nor do I see the SIP protocol detected. Am I missing a setting? asked 13 Jul '15, 08:09  Kenny70 |
3 Answers:
Looking at the capture, the audio is encoded using G.729 CODEC. Refer to the following Wireshark Wiki: answered 13 Jul '15, 12:09  Amato_C Amato, I read through the Wiki link. Completed all of the steps. The decoder gives an error opening the raw file. (13 Jul '15, 12:53) Kenny70 Strange. I was able to convert to PCM and then to AU. I uploaded the RAW file I used to convert to PCM on Google drive: https://drive.google.com/file/d/0B80gG9wZvGF0WFFOVFJObzk1OFk/view?usp=sharing Download this RAW file and try to convert to PCM using the codec. We can then determine if it is the RAW file or the codec you downloaded. (13 Jul '15, 13:15) Amato_C Amato, I downloaded the test.raw file. Get the same error.
(13 Jul '15, 13:24) Kenny70 I used the recommended decoder as specified on the wiki link. (13 Jul '15, 13:26) Kenny70 Are the RAW files located in the same directory as the cp_g729_decoder.exe file? (13 Jul '15, 13:30) Amato_C Amato, the raw file has to be in the same directory. YOU ARE THE MAN!!! Thanks for the help. (13 Jul '15, 13:36) Kenny70 I had to create 2 audio files - one for each direction. In Wireshark, after performing the "Telephony -> RTP -> Show All Streams", you should see 2 IP address. I had to save the RAW files for each IP address (stream) and perform the procedure on each RAW file. In the end, I was able to hear the entire conversation. (13 Jul '15, 13:44) Amato_C Amato, Yep, I got that all figured out. Thanks again for all of your help. (13 Jul '15, 13:48) Kenny70 Glad to hear it. Could you please accept my answer (click on the check mark)? This will help others in the future to find the answer. (13 Jul '15, 13:51) Amato_C showing 5 of 9 show 4 more comments |
The settings for SIP are in the preferences setting for the SIP protocol: go to menu Edit->Preferences->Protocol->SIP. By default it decodes SIP in UDP and TCP ports 5060, and SIP/TLS in 5061; but it also has a heuristic decoder that tries to decode SIP in other transport ports, which should detect SIP unless another protocol decodes it successfully first. Obviously if you're running SIP over TLS, Wireshark won't be able to decode it without the keys, and it won't show up in the telephony calls. If the above doesn't help, then please post your capture somewhere and provide the link here, if you can. answered 13 Jul '15, 09:21  Hadriel I understand the default decodes. Just not sure why these calls don't appear. Attached is the link to the test call. http://www.mediafire.com/download/33447i08t578m3d/TestCall.rar (13 Jul '15, 10:51) Kenny70 Probably because it's as I said: "Obviously if you're running SIP over TLS, Wireshark won't be able to decode it without the keys, and it won't show up in the telephony calls." Your capture has SIP over TLS. (TCP port 5061) (13 Jul '15, 12:31) Hadriel Using the procedure in the Wiki (see link in my below response) I was able to successfully decode and listen to the voice message. I know that @Kenny70 called Tammy and referenced this Wireshark forum. Either I am a magician or I was successful. :) (13 Jul '15, 12:56) Amato_C I'm not sure if that's a response to my comment, but if so: the procedures in the wiki are not what was originally asked in the question. The question asked why "I don't see the call in the Telephony VOIP calls tab. Nor do I see the SIP protocol detected". The answer to that question is: because the capture has SIP/TLS, as I said. What your wiki answer is about, is taking the RTP content and the audio in that out of the capture. That's a horse of a different color, and not what the actual question asked. (I realize now that it might be what the asker was looking for, but I am not a magician and can't read people's minds ;) (14 Jul '15, 09:48) Hadriel @Hadriel - I apologize for my rude comment. Sorry (14 Jul '15, 10:13) Amato_C Oh I didn't think it was rude - made me chuckle actually. :) I just wasn't sure if it was in response to my comment or something else. No worries. (14 Jul '15, 10:25) Hadriel showing 5 of 6 show 1 more comments |
Try this display filter: tcp.port==5060 || tcp.port == 5061 || rtp answered 13 Jul '15, 11:44 Amato_C Amato. I tried that display filter. It does display RTP. I viewed the RTP streams in the Telephony tab. I save the streams as Raw and use Audacity to decode and play the RTP. I just hear a second of static. I tried this for almost all of the RTP streams. (13 Jul '15, 11:53) Kenny70 |
I think I've cleaned up the mess of comments posted as "answers" here, although IMHO the actual answer to the question as posted is that by @Amato_C regarding the filter. The question marked as answered is a follow-up about the encoding of the rtp when it has been found.