Page tree
Skip to end of metadata
Go to start of metadata


Capturing SIP and RTP packets can reveal trouble with the configuration of FreeSWITCH or the endpoints connecting to it. A packet capture might be required by developers to help troubleshoot your installation.

 Click to expand Table of Contents



Use tcpdump if you want a pcap to open up in Wireshark later. Else, use tshark if you want a "text only" view of the SIP traffic without all the headers and extra information.


Basic Logging

Real-time traffic dump (full packets) to stdout:

  tcpdump -nq -s 0 -A -vvv -i eth0 port 5060

Dump to file:

  tcpdump -nq -s 0 -i eth0 -w /tmp/dump.pcap port 5060 

Save a new time-stamped file approximately once per hour on the specified port

  tcpdump -nq -s 0 -i eth0 -G3600 -w /tmp/trace/sip-%F--%H-%M-%S.pcap port 5060

Daemonize and log 2 ports, rotate log every hour.

  nohup tcpdump -nq -s 0 -i eth0 -G3600 -w /tmp/trace/sip-%F--%H-%M-%S.pcap port 5080 or port 5060 &

Daemonize and log 2 ports, rotate log every hour, and place into hierarchical directory structure.

tcpdump log example


This should be run from cron / init services at the first minute of each new day.

Capturing Calls For a Specific User

  sofia status profile $profile user $user_id

to get the remote ip/and port, then use:

  tcpdump -i $INTERFACE -s 1500 -A host $IPADDRESS and port $SIPPORT


Using Wireshark to Analyze pcap Files

Wireshark has some nice tools for analyzing your packet captures. See the tutorial linked at the bottom of this page for tips.



ngrep on the Debian Wheezy repository

ngrep help  Expand source


For a more in–depth tutorial on using ngrep check out this post by Jonathan Manning. VIM users may be interested in this syntax highlighter.


HOMER Sip Capture

DESC: SIP capturing server with HEP and IP-proto-4 (IPIP) & Monitoring Application with CallFlows, PCAP extraction, powerful search tools, statistics and API. Native HEP capture agent integrated in FreeSWITCH


DESC: Sipgrep is a powerful pcap-aware tool command line tool to sniff, capture, display and troubleshoot SIP signaling over IP networks, allowing the user to specify extended regular expressions matching against SIP headers.

sipgrep help  Expand source


DESC: pcapsipdump is a tool for dumping SIP sessions (+RTP traffic, if available) to disk in a fashion similar to "tcpdump -w" (format is exactly the same), but one file per sip session (even if there are thousands of concurrect SIP sessions). As of SVN r128, there is limited but functional support for SIP over TCP. This functionality is not enabled by default and requires a specific make command:


The pcapsipdump program will attempt to capture SIP dialogs regardless of port number. Note that older versions of pcapsipdump do only port 5060. The trunk version of pcapsipdump is stable and is good for most production environments.


tshark aka tethereal

DESC: Dump and analyze network traffic.




SRC: irontec on github

DESC: Linux/OSX console-based SIP traffic viewer with filtering capabilities

sngrep is a handy utility for quickly capturing and viewing SIP traffic. It can be run on existing pcap files or it can capture traffic live. It can filter based on many criteria, including source/destination as well as message type. This is particularly useful when you have a lot of SIP traffic on a system and you need to find a specific dialog or message. (Have you ever wanted to see only NOTIFY traffic without being bombarded with REGISTERs, OPTIONS, and INVITEs? Or just INVITEs without all the other SIP traffic? If so, sngrep is the tool for you.) Once you find a dialog you can explicitly export it to a pcap file. The irontec github page has several screen shots that demonstrate its capabilities. Note that sngrep does not capture RTP, only SIP.

An especially useful feature of sngrep is its ability to create SIP "ladder graphs" showing the progression of the SIP dialog. The ladder graph appears on the left and the content of the highlighted SIP message appears on the right. Scroll up and down and you can quickly review the progression of a SIP dialog. Being able to see this right at the Linux/OSX command line can save you the effort of having to export a potentially large pcap file and open in Wireshark. Also, sngrep works well in conjunction with Wireshark. Use sngrep to locate quickly specific SIP traffic and then export a pcap to Wireshark for more detailed analysis.

sngrep help  Expand source

Tips for using sngrep interface

Arrow up and down to move selector and press <enter> to open a specific dialog. This brings up the ladder-graph and all messages within the dialog.

View multiple (perhaps related) dialogs in a single ladder-graph by selecting them with the space bar. Press <enter> when all dialogs have been selected and a multi-endpoint ladder-graph will be displayed. 

Change display filter by pressing F7. You can select To: and From:, source and destination, payload, and SIP message types.

Export selected dialogs by pressing F2.

Search through dialogs by pressing F3.

Truncate a pcap File

With The Wireshark GUI

Open the pcap, then click "Save as". Look at the options - from frame $x to $y, the marked ones, from the first marked one to the last marked one, etc. To mark packets, you can right–click them in the viewer.


If you have a large pcap from any of the above methods and want to share part of it, you can use the "editcap" command line program that comes with Wireshark. Read the full manual.

In short, if you want just packets $x to $y, use:

editcap -r $source_infile $outfile $x-$y

where -r means "only include x-y" otherwise without -r, this command would cut out x-y

If you want to omit some packets, then skip the -r and list the ones to omit, e.g. to omit packets 1000 to 3000:

editcap $source_infile $outfile 1000-3000

TLS with sharka

after some experimentation with various tools, I come out with a little shell tool that maybe can be useful to you too.
It can only work with non-forward secrecy ciphers, obviously, and only if is started before the client do the initial TLS handshake (eg, just restart the client). Forward secrecy cannot be decrypted after fact, so don't waste effort.

An example of ciphers that can be decrypted are the "AES256-SHA" openssl cipher group. In FreeSWITCH, edit vars.xml and put
<X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=AES256-SHA"/>
You can use ssldump to check what cipher is used by serverhello.
Enjoy, make it better, and share it :)
sharka shell script

Example Analyses

SIP TLS with sharka

Edit the script first few lines with your own values.

Visualize the packets related to ""

sharka example

SIP TLS on port 5061

Replace with your own IP address.

Wireshark example
tshark example


RTP events

RTP analysis example


Analyze RTP Quality

sudo tshark -q -f 'udp portrange 16384-32768' -o rtp.heuristic_rtp:TRUE -z rtp,streams

If you're doing long-term captures, you may want to get a bit more paranoid about security:

sudo setuid 4755 /usr/bin/dumpcap
dumpcap -f 'udp portrange 16384-32768' -i eth0 -w /tmp/qos.pcap
tshark -qr /tmp/qos.pcap -o rtp.heuristic_rtp:TRUE -z rtp,streams

Remote live capture with local wireshark

you can also use tcpdump in conjunction with ssh to bring the packets back to your workstation so you can watch it live in Wireshark. Something to bare in mind with this approach is you must set the filter on the tcpdump or you are going to end up with either echoed data, or to much data.

Windows workstation to remote linux server

with wireshark and putty installed locally and tcpdump installed on the remote server



See Also


"C:\Program Files (x86)\PuTTY\plink.exe" -ssh root@x56 "tcpdump -ni eth0.1020 -s 0 -w - not port 22 and not proto ospf and not arp and not portrange 16384-32768" | "c:\Program Files\Wireshark\Wireshark.exe" -k -i -


  1. The second presentation is here:

    The first presentation got cut short, but it's still good:

    The page you were looking for doesn't exist.
    You may have mistyped the address or the page may have moved.


    1. Even those links have died a miserable, horrible death.


  2. <param name="sip-capture" value="yes"/>

    <param name="capture-server" value="udp:HOMER_EXTERNAL:5061;hep=3;capture_id=100"/>


    root@ts180:/usr/share/freeswitch/scripts# tcpdump -nq -s 0 -A -vvv -i eth0 port 5061
    tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes


    Not was be sent capture, not working.