Using T-Shark for Packet Voice

Check out these great references as well: 

 Our custom profiles repository for Wireshark
 Our Udemy course on Wireshark 
 Our Udemy course on Wireless Packet capture

As more and more of you are moving to Voice over IP, you will want to use Wireshark to do voice analysis.  But first, you may want to run a capture somewhere.  As many of you know, T-Shark is the command line version of Wireshark. Here sre some usage examples for T-Shark and capture of packet voice:

T-Shark Objective

T-Shark Command

Capture all SIP on specified port and switch files every hour

tshark -nq -i eth0 -b duration:3600 -w /tmp/trace/sip.pcap port 5080

Filter on SIP and all RTP packets tshark -S -w capture.pcap -f “(udp port sip) or (udp[1] & 1 != 1 && udp[3] & 1 != 1 && udp[8] & 0x80 == 0x80 && length < 250)”
Filter on RTCP packets reporting any packet loss or jitter over 30ms

tshark -i eth0 -o “rtp.heuristic_rtp: TRUE” -R ‘rtcp.ssrc.fraction >= 1 or rtcp.ssrc.jitter >= 240’ -V

Capture SIP, RTP, ICMP, DNS, RTCP, and T38 traffic in a ring buffer capturing 100 50MB files continuously:

tshark -i eth0 -o “rtp.heuristic_rtp: TRUE” -w /tmp/capture.pcap -b filesize:51200 -b files:100 -R ‘sip or rtp or icmp or dns or rtcp or t38’


 Analyze a packet capture with SIP TLS on port 5061

(replace A.B.C.D with appropriate IP address)


tshark -o “ssl.desegment_ssl_records: TRUE” \
-o “ssl.desegment_ssl_application_data: TRUE” \
-o “ssl.keys_list: A.B.C.D,5061,sip,/opt/freeswitch/conf/ssl/agent.pem” \
-o “ssl.debug_file:/tmp/tshark.log” \
-i eth0 \
-f “tcp port 5061”

Analyze RTP events tshark -o “rtp.heuristic_rtp: TRUE” -R rtpevent
Analyze RTP Quality sudo tshark -q -f ‘udp portrange 16384-32768’ -o rtp.heuristic_rtp:TRUE -z rtp,streams


 I hope you find this article and its content helpful.  Comments are welcomed below.  If you would like to see more articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!, and all comments are welcome! 


Leave a Comment

Contact Us Here

Please verify.
Validation complete :)
Validation failed :(
Your contact request has been received. We usually respond within an hour, but please be patient. We will get back to you very soon.