Back to Support
General13 views

How to Capture a SIP Call Dump Using tcpdump, Wireshark, and sngrep

Accurate and fast packet capture is an essential skill for engineers working with VoIP platforms such as Kamailio, Asterisk, FreeSWITCH, 3CX, SBC solutions, and media-routing systems. This is especially important when troubleshooting RTP issues, one-way audio, call drops, NAT problems, incorrect SDP, or SIP registration failures.

SkyTel OU regularly uses these techniques to diagnose and audit VoIP traffic quality, both within internal infrastructure and when working with external carriers and client platforms.

Choosing the Right Tool for Call Capturing

Tool Capabilities When to Use

tcpdump low-level packet capture, full accuracy capturing raw PCAP files for deeper analysis

Wireshark graphical decoding, VoIP inspection, RTP playback troubleshooting complex SIP/RTP issues

sngrep real-time SIP call visualization quick diagnostics on Kamailio, Asterisk, FreeSWITCH, SBC

Capturing a SIP Call with tcpdump

Basic Capture of All SIP Traffic

tcpdump -i any -s 0 -w sip-dump.pcap port 5060

Capture SIP + RTP for a Specific Host

tcpdump -i any -s 0 -w call.pcap host 192.168.1.50

Capture SIP Registrations

tcpdump -i any -s 0 -w reg.pcap udp port 5060 and (sip or portrange 10000-20000)

For Kamailio / SBC Servers

Kamailio often proxies SIP without handling RTP. To capture RTP, dump traffic on the media server (Asterisk/FreeSWITCH/rtpengine/SEMS).

Find the Call-ID:

tcpdump -i any -s 0 -A | grep "Call-ID"

Then capture the full call:

tcpdump -i any -s 0 -w call.pcap -v 'sip[0] != 0 and port 5060'

Analyzing Calls in Wireshark

Accessing VoIP Call List

Menu:
Telephony → VoIP Calls

Capabilities:

  • full SIP dialog decoding
  • ladder diagrams
  • RTP decoding and playback
  • loss, jitter, and out-of-order detection

Filter by Call-ID

sip.Call-ID == "123456@server"

Inspecting RTP Streams

Select the call → RTP → Stream Analysis

You can check:

  • packet loss
  • duplicates
  • jitter
  • delay
  • MOS score

Diagnosing One-Way Audio

Common causes:

  1. NAT issues (incorrect external IP in SDP)
  2. RTP blocked by firewall or SBC

Key SDP fields to inspect:

  • c=IN IP4 ... — media IP
  • m=audio ... — RTP port
  • a=rtcp: — RTCP parameters
  • a=sendrecv / sendonly / recvonly — media direction

Monitoring SIP Traffic Using sngrep

sngrep is the most convenient tool for Kamailio, SBC, Asterisk, and FreeSWITCH infrastructures.

Display All Calls

sngrep

Filter by Call-ID

Press / and type part of the Call-ID.

Filter by IP Address

sngrep -d any host 192.168.1.50

Export a Call to PCAP

Press E → select pcap → save.

This is often the fastest way to provide SkyTel OU engineers with the minimum required data for troubleshooting.

Practical Notes for Kamailio, Asterisk, FreeSWITCH, SBC, and 3CX

Kamailio

  • enable debug=3 and log_stderror=yes for deeper inspection
  • capture traffic on ingress and egress interfaces
  • inspect dialog creation/removal using dlg_list

Asterisk

  • use rtp set debug on for missing RTP
  • check RTP ports mismatch between SDP and endpoints
  • beware of NAT + directmedia=yes problems

FreeSWITCH

  • enable sofia global siptrace on
  • RTP may flow through proxy modules

3CX

  • best to capture traffic on server/hypervisor level
  • PCAP quickly exposes incorrect RTP routing

SBC (rtpengine, SEMS, FreeSBC, Kamailio-SBC)

  • verify which endpoint receives RTP relay
  • inspect rewritten SDP
  • check NIC queues and latency issues

Common Issues Detectable with PCAP Dumps

  • one-way audio
  • call drops after 32 seconds (ACK/re-INVITE problems)
  • missing DTMF
  • NAT-related failures
  • SIP header rewriting errors behind SBC
  • carrier-side faults that cannot be proven without PCAP

Was this article helpful?