This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I capture only VOIP packets, is there a filter option?

0

I have magicjack set up on this machine and would like to capture VOIP packets, but usually I can only capture all packets and it captures a lot of other useless stuff like internet downloads and web pages and that sort of thing (this computer is used for web surfing as well as VOIP, its not a dedicated machine) I have some problems with the quality and want to analyze calls. Whenever a call comes in if I then start the capture it is too late somehow wireshark would not recognize it when I got o the voip decode... so therefore I need wireshark to be capturing always on BEFORE the calls come in for it to work. But without a way to filter out only VOIP packets it becomes quickly unmanageable.

Is there a way to set a filter in the capture to configure it to ONLY capture voip packets and filter it to not capture any of the other stuff?

asked 06 Jul '11, 09:36

EAM's gravatar image

EAM
1112
accept rate: 0%

edited 06 Jul '11, 09:37


One Answer:

0

If you're looking at the signaling packets only this page suggests a capture filter like

udp port 5070
But if you need to voice packets as well (which I suspect you do) there's no capture filter available to you. This is result of the fact that the voice packets are transported on an dynamic port number, and the capture filter cannot recognize RTP.

An other way to do this is to run dumpcap with a multiple file option. After your call pick up the capture file(s) you need and analyze them.

answered 06 Jul '11, 14:37

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

It is possible that the RTP packets always appear on the same port(range) if that's the case you can filter on UDP and the port(range).

(07 Jul '11, 01:32) Anders ♦

According to the MagicJack page that @Jaap linked the RTP port range is big (10000 to 30000). You might be able to match bits in the UDP payload that look like RTP, e.g. udp[1] & 1 != 1 && udp[3] & 1 != 1 && udp[8] & 0x80 == 0x80 && length < 250

(07 Jul '11, 09:15) Gerald Combs ♦♦