How To: VOIP SIP Capture with TCPDump on Linux

It is very common for me to have to do a sip capture on my asterisk servers or any other voip application to debug what is going on. I like to use TCP dump to capture sip packets and then analyze them in Wireshark. Here is a quick guide how to do this since it really makes debugging a lot easier.

1. Download and install Wireshark on your windows computer.
2. Download and install WinSCP on your windows computer.
3. Use putty to login to your linux server.
4. Once logged in use the following command to start the SIP capture:
tcpdump -i eth0 -n -s 0 port 5060 -vvv -w /home/capture_file_name
-i = interface you want to capture on, eth0, eth1, eth2, etc, you will want to do this on your public interface most likely.
-n = Do not convert ip addresses to names, prevents dns lookups.
-s = How many bytes of data to grab from each packet, zero means use the required length to catch whole packets.
port = What port to listen to, 5060 is the default port for SIP.
-vvv = Even more verbose output, this will give you as many details as possible.
-w = Write to a raw file to be parsed later.
5. Now that we are capturing packets let it run for a while at least 5 to 10 minutes to collect some data then to stop the capture use CTRL Key + C.
6. Once you stopped the capture login to the server using WinSCP and go to the home directory. You will find the capture file in there just copy that file to your windows computer so you will be able to open it with Wireshark.
7. Start Wireshark and open the file which you just copied from your linux server.
8. Now you will be able to look at all the sip packets and get an idea of what is going on with the server.
9. There is also a great tool in wireshark to see calls made on the server, in the menu bar click on Telephony then VoIP Calls. This will show all the calls that were captured with TCPdump. You will also be able to see the packets sent between the two end points by selecting a call and clicking Graph at the bottom.