Hello,
I have to make some SIP debugging, and since the resulting file could be huge, I want to stream it to a server with Wireshark.
No problem with that, everything works nice, but, there is a but !
In wireshark, I can see my SIP packets, but not the associated RTP packets, and I need them for a proper debugging.
Do someone knows how to fix that ?
Joris
In WireShark (as of 2.0) → Go to Analyze → Enabled Protocols → RTP and activate rtp_udp checkbox
Give that a try.
RTP decode is enabled by default in Wireshark.
Are you filtering out the RTP sessions so the RTP packets are not in the capture? RTP ports are negotiated in the SIP session. Sometimes the same ports are negotiated each time, and sometimes the ports are random. It depends upon how the hosts are designed and configured.
I don’t have a SIP/RTP session capture handy to reference, so I’m going from memory here: If you don’t have the SIP packets, then I don’t believe Wireshark will automatically detect the RTP sessions. In that case, you would have to manually set Wireshark to decode the RTP session.
I recommend capturing the SIP and RTP packets so Wireshark can do its thing. It is much easier.
If the RTP ports aren’t easily predictable, I would configure Wireshark to write the packets to a file and then stream all traffic to Wireshark. In the screenshot example, this would configure Wireshark to start a new capture every 100k packets. This prevents the capture files from getting too large to manage. You can then open each file, filter out the traffic you don’t want, save to a file again, then use mergecap.exe to merge the desired traffic into a single file for further analysis.
Hello,
Thanks for answering my topic 
Actually, I do capture everything going out of my IPBX, and send it to a file.
But, the issue is not here, if I do the same packet capture directly to a file in the Mikrotik router, it works nice, I have both SIP and RTP packets.
But when I stream to Wireshark, there is everything but RTP, it seems like the router doesn’t stream them, which is weird…
Joris
Did you cross-check with for example a tool like tcpdump just to see that it is not a Wireshark problem ? Because if it turns out that your Mikrotik is not even egressing RTP then you might open a ticket/report a bug on this.
On the Sniffer-config part on Mikrotik, do you already apply a filter or some sort ? Or simply take all traffic from interface X and stream it further down to Wireshark ?
Hello,
I just filter IP addresses, but no filter on protocol or port.
I will check with tcpdump, that’s a good idea
Thanks,
Joris