Skip to content

How To: VOIP SIP Capture with TCPDump on Linux

by Jon on October 26th, 2009

It is very common for me to have to do a sip capture on my asterisk servers or any other voip application to debug what is going on. I like to use TCP dump to capture sip packets and then analyze them in Wireshark. Here is a quick guide how to do this since it really makes debugging a lot easier.

1. Download and install Wireshark on your windows computer.
2. Download and install WinSCP on your windows computer.
3. Use putty to login to your linux server.
4. Once logged in use the following command to start the SIP capture:
tcpdump -i eth0 -n -s 0 port 5060 -vvv -w /home/capture_file_name
-i = interface you want to capture on, eth0, eth1, eth2, etc, you will want to do this on your public interface most likely.
-n = Do not convert ip addresses to names, prevents dns lookups.
-s = How many bytes of data to grab from each packet, zero means use the required length to catch whole packets.
port = What port to listen to, 5060 is the default port for SIP.
-vvv = Even more verbose output, this will give you as many details as possible.
-w = Write to a raw file to be parsed later.
5. Now that we are capturing packets let it run for a while at least 5 to 10 minutes to collect some data then to stop the capture use CTRL Key + C.
6. Once you stopped the capture login to the server using WinSCP and go to the home directory. You will find the capture file in there just copy that file to your windows computer so you will be able to open it with Wireshark.
7. Start Wireshark and open the file which you just copied from your linux server.
8. Now you will be able to look at all the sip packets and get an idea of what is going on with the server.
9. There is also a great tool in wireshark to see calls made on the server, in the menu bar click on Telephony then VoIP Calls. This will show all the calls that were captured with TCPdump. You will also be able to see the packets sent between the two end points by selecting a call and clicking Graph at the bottom.


From → VOIP

  1. Alexander Hodel permalink

    Hello just stumbled your site and been browsing around, do you also run another a pet related website that looks exactly like this one?

    • Leif Neland permalink

      You probably just stumbled into a totally unrelated wordpress blog by another person who selected the same theme as Jonathan :-)

  2. any ways to literarily listen to the captured calls? get the voice conversation replayed?

  3. Thank you for your help!

  4. I’m glad I chose to read this one. Nice work!

  5. Christian permalink

    Latests versions of Wireshark can decode and play most common VoIP codecs. At the menu, go to “Telephony/VoIP Calls…”

  6. Gaby permalink


  7. emmysamir permalink

    I want your help i have problem email me

  8. Silvestre permalink

    If u need capture audio packets, use the above and filter the voip calls under wireshark.

    tcpdump -w trace.cap -i eth0 -p -n -s 0 “udp”

  9. Jose Tapia permalink

    Excelent info thanks

  10. Saad permalink

    I want to monitor a number to check whether its connected or disconnected(due to any reason code).
    How can I get reason code for any call in Asterisk

  11. Phillip Lee Kit permalink

    you can also remote that tcp connection to wireshark using plink ( from the makers of Putty.

    plink -ssh -pw @ “tcpdump -ni eth0 -s 0 -w – not port 22” | “C:\Program Files\Wireshark\Wireshark.exe” -k -i –

    replace these items with your information, you must have ssh access
    – host ip where you will be capturing data
    – ssh username
    – ssh password

    The path to wireshark may be different to what is there so change it accordingly. Wireshark will be opened when the plink command string is entered.

    not port 22 – removes the ssh traffic from being displayed.

    You can add other filters so you only see SIP traffic “udp port 5060”,
    If you need the rtp traffic as well you will need to know the range of RTP ports your equipment spits out. “udp and port 5060 or portrange 10000-16000”

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS

%d bloggers like this: