I’ve been working on monitoring our SIP traffic on our phone system and have yet to find a comprehensive how-to on monitoring the traffic and filtering it utilizing Wireshark.
First, you must monitor the network traffic to get the needed information. I mirrored the ports that we needed on our switch (as far as I know, all switches can do this). Once I had the mirroring down, I began the capture while our system called our customers for their courtesy calls.
This ended up being a ton of data, but as it was capturing I filters by typing “SIP” into the filter section on Wireshark to verify the correct packets being captured. Once the capture had completed, I saved it and sorted by SIP again, which was a ton of data. We double checked which calls failed on our monitoring system and I was given a few calls (4) that I needed to find in the massive capture.
I started by cross-referencing times to the SIP by using a filter similar to:
(frame.time >= “Aug 23, 2013 16:03:00”) && (frame.time <= “Aug 23, 2013 16:04:00”) && sip
This gave me what I needed, but it was still quite a bit of data to sort though. Therefore, knowing that Wireshark could actually filter SIP, I entered this filter:
“SIP Contains xxxxxxxxxx”
With the xxxxxxxxxx containing the phone number. For example, we dial 8 out of our network, so this was similar to: “SIP Contains 815555555555” (making the phone number 8 1 (555) 555-5555) and this gave me all of the packets that contained that phone number. Allowing us to troubleshoot further down.
Hopefully this helps someone because it’s taken me the better part of the morning to find out.