
The first button to select when analyzing a VoIP call is the Graph button. The bottom of Wireshark’s VoIP Calls window has four buttons that remain grayed out until you select a VoIP call to analyze. Call Setup: The call listed in the capture was never established and includes only the initial INVITE message and provisional responses, such as 180 Ringing.Cancelled: Identifies a call forcibly disconnected with the SIP.Rejected: This call was refused by the receiving SIP node, most likely with a 404 Not Found or 503 Service Unavailable.Completed: Indicates a VoIP call that was established and was disconnected with a normal BYE.State: Identifies the disposition of the call. Other RTP packets may be associated with the call, but only the quantity of SIP packets are listed. ‘ Packets: Provides the total quantity of SIP packets listed for the specific VoIP call. Despite the fact that only SIP is listed in the protocol, the call listed includes SIP/SDP and RTP packets. ‘ Protocol: Because you’re looking at a VoIP call, it’s listed as SIP. The first call in Figure 11-3 originated from the IP of 4.00.00.00.įrom: The origination SIP URI on the call. Initial Speaker: The IP address that originates the call. This is not the duration of the call from INVITE to BYE, but the time in the capture when the BYE for the call was received. Stop Time: The amount of time between the initiation of the packet capture and the final BYE message ended the call.

or 20:49 in military time, but the amount of time between the moment the capture being analyzed began until the call was initiated. ‘ Start Time: This isn’t the time of day the call began, such as 8:49 p.m. The window summarizes the calls by their general profile, allowing you to quickly see Wireshark scans the entire packet capture, identifying all VoIP calls and populating them in a Wireshark: VoIP Calls pop-up window, shown in Figure 11-3.

Click Statistics in the top menu bar and select VoIP Calls. Wireshark provides an easy way to isolate the individual VoIP calls in a capture, filtering out the unrelated packets. The majority of captures you’ll be looking at probably include ancillary TCP/IP information and other packets flowing through the LAN that may or may not have an impact on the VoIP call you’re investigating. Not every capture you execute will be so clean as to start with the first INVITE message and finish with a BYE. Digging in to a VoIP call is fun, but first you have to find the call.
