Capturing SIP and RTP traffic using tcpdump
Tcpdump is command-line packet analyzer, It has a lot of cool features to capture the network traffic. Let’s see the command to capture the SIP and RTP traffic using the Tcpdump.
Capturing only SIP traffic using the Tcpdump:
tcpdump -i eth0 -n -s 0 port 5060 -vvv -w /home/capture_file_name.pcap
Options:
-i = interface you want to capture on, eth0, eth1, eth2, etc, you will want to do this on your public interface most likely.
-n = Do not convert ip addresses to names, prevents DNS lookups.
-s = How many bytes of data to grab from each packet, zero means use the required length to catch whole packets.
port = What port to listen to, 5060 is the default port for SIP.
-vvv = Even more, verbose output, this will give you as many details as possible.
-w = Write to a raw file to be parsed later.
Capturing SIP and RTP traffic and saving it to pcap file:
tcpdump -i eth0 udp port 5060 or udp portrange 10000-20000 -s 0 -w filename.cap
Note: My SIP server listening on default port 5060, My RTP ports are 10000 to 20000. So change these ports according to your environment.
Now we have the entire capture in pcap file, You can open it using Wireshark for further analysis.