How To: Capture DTMF Digits(rfc 2833) from Asterisk with Tcpdump
In order to see the digits pressed by asterisk users the capture must include the audio since that is where the dtmf digits are passed. The audio stream is passed in RTP which is real-time transport protocol because the audio has to be a constant stream of audio. The first step is to create the capture file then we will need to analyze the file in wireshark. Be careful not to do too long of a capture because these files can become very large quickly when adding the audio to it.
1. Start the tcpdump capture using the following command, note that you should change the ip address x.x.x.x to the ip address of your carrier: tcpdump -i eth0 -n -s 0 dst x.x.x.x -vvv -w dtmf_example
2. Now let the capture run for a while and make a few test calls and enter in digits on the phone to transmit to the carrier.
3. Stop the capture with Ctrl + c
4. Now use winscp to copy the file from the linux machine to your computer.
5. Open the file up in Wireshark and then the first thing you can do is sort by the protocol field. Once you did that scroll down and look for “RTP EVEN” these are dtmf digits that have been pressed. See the first picture.
6. To see the dtmf digits per call go to the Telephony menu and chose VoIP Calls. In here there will be a list of all the calls from this capture select one of them you believe will have dtmf digits in it and then click on the Graph button below.
7. The graph will display all the sip packets as well as any RTP events such as dtmf digits. See the picture below.