This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Do not see SIP or G711 calls in VOIP Calls tab

0

I recently discovered (because of this forum) that G729 calls will not display in the VOIP Calls tab. I would however expect to see G711 and SIP calls in the VOIP Calls tab. I do not. Am I missing a setting change? I am able to save the RTP streams and covert the files to PCM and play with Audacity. Just wondering why I never see VOIP Calls.

asked 14 Jul '15, 10:30

Kenny70's gravatar image

Kenny70
11336
accept rate: 0%

One Answer:

0

It's not whether they're G.729, or G.711, or any codec. The problem is the VOIP Calls feature analyzes a VoIP call, meaning the the signaling (SIP, H.323, etc.) as well as the RTP media. In your capture files, Wireshark cannot see the SIP signaling, because SIP is running over TLS, and is thus encrypted.

The only reason you even see the RTP packets decoded as RTP is because you have the preference for RTP called "Try to decode RTP outside of conversations" enabled. (in Edit->Preferences->Protocols->RTP) That preference setting makes Wireshark try to decode any/every UDP packet as an RTP packet using a heuristic, unless some other protocol matched the packet first. If you disable that preference, you won't even see RTP packets. You'll just see them as UDP packets with unknown data payload.

So basically Wireshark is guessing that the UDP packets are RTP - it happens to be guessing correctly in your case. It guessed incorrectly in Amato_C's question, because those UDP packets are probably SRTP not RTP - unfortunately SRTP is almost indistinguishable from RTP - Wireshark would need to decode the SIP signaling's SDP to figure out the RTP is actually SRTP, but since SIP is running over TLS, it can't decode SIP.

So, since all Wireshark en decode in your capture is RTP, without any VoIP signaling protocol, nothing shows up in the "VOIP Calls" dialog. But if you click Telephony->RTP->Show All Streams, then you'll see the RTP streams.

answered 14 Jul '15, 11:00

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

edited 14 Jul '15, 11:07

The strange thing is that I disabled TLS on the media stream of the IPBX system. I still do not see SIP calls in the VOIP Calls tab.

(14 Jul '15, 13:27) Kenny70

Type in "sip" in the display filter box and press the "Apply" button - if no packets showed up, then Wireshark doesn't see any SIP. Then type in "tcp.port == 5061" in the display filter box and press Apply - if you see packets, then it's still using SIP over TLS.

(14 Jul '15, 13:31) Hadriel

Display filter is empty when I filter for SIP. I guess I need to figure out why SIP on this IPBX is still running over TLS even though I disable TLS on the media stream.

(14 Jul '15, 13:35) Kenny70

@Kenny70

Your "answer" has been converted to a comment as that's how this site works. Please read the FAQ for more information.

(14 Jul '15, 13:49) grahamb ♦