SIP RTP audio can be extracted from a wireshark capture and played back in Audacity. This can be useful for troubleshooting SIP related audio issues.

We will need to set up port monitoring on our switch in order to capture traffic going to and from our SIP endpoints.

Open

My test system consists of LQ (Port GE2), Grandstream KXV-3370 (Port GE4), a Grandstream UCM6202 PBX (Port GE7) and my PC running Wireshark (Port GE8). For this example I will be monitoring traffic to and from the Grandstream UCM6202 PBX (Port GE7) but, depending on the issue you are trying to troubleshoot, you may wish to monitor different/additional sources.

Open

Open Wireshark and begin a capture using the network interface (NIC) that is connected to the ‘Destination Port’ of the switch.

Use the the term ‘rtp’ in the filter bar at the top.

You must use lowercase here. If it is a legitimate filter, the filter bar will be green.

Now initiate a call between SIP endpoints. You should see the packet window start to fill up with RTP packets.

One reason that you may not see any packets is that RTP must be selected in the Analyze → Enabled Protocols… menu. Make sure the RTP checkbox is ticked along with rtp_udp.

Once we have a decent number of packets we can end the call and stop the capture.

Select an RTP packet and open the ‘Real-Time Transport Protocol’ drop down. Here we can view the codec used to encode the audio. My test system is using G.711 PCMU (ie. G.711 μLaw).

We can also see that the packets have non-zero payload. A payload of all zeros would indicate that there is no audio data in this packet.

To hear the audio we have captured, we must export the RTP stream from Wireshark and open it in Audacity.

In Wireshark, navigate to Telephony → RTP → Stream Analysis.

In the Stream Analysis window, navigate to ‘Save’ and click on the expansion arrow.

Here we will select ‘Unsynchronized Forward Stream Audio’.

Change the default file type to save as a .raw file.

We can also repeat this step to save the ‘Unsynchronized Reverse Stream Audio’.

Open Audacity and go to File → Import → Raw Data…

Navigate to and select the Unsynchronized Forward/Reverse Stream Audio .raw file that we exported from Wireshark.

Here we want to import the raw data with settings according to the payload type. Earlier, we determined that my test system is using G.711 μLaw. The above settings are suitable for G.711 μLaw.

We are now able to playback the audio to check for signal integrity etc.