Wireshark (formerly ethereal) is a network traffic analyser utility. It provides various facilities to see the flow of network data from one machine to another. Wireshark provides numerous ways to filter intended data packets and traffic. For analysing problem in SIP packets, first select the correct network interface. Then, select the transmission protocol which is mostly UDP, but it can be TCP or TLS as well, depending on the type of SIP configuration. Packet filtering can also be narrowed down by port number. Select the data display in real time since SIP is a real time protocol.

How does Wireshark work?

Wireshark displays the packet data with details like source, time, destination, protocol name and other relevant information. Each packet is analysed for its contents. While troubleshooting a VoIP connection look for sequence of data flow. For example, during initiation process look for “invite” sequence or “register” sequence. In order to obtain relevant network data for analysis SIP endpoints are most suitable hosts. However, traffic analysis from routers can be done by mirroring the intended port and attaching a wireshark machine on this port. Wireshark provide statistics of telephony packets by individual protocols like SIP, RTP etc. These statistics can be displayed in form of a summary or a graph of sequence.

For each selected packet wireshark can decode the protocol information, which can be seen in lower pane window of the application. In case of SIP, the details of SDP packets can be used to find out problems with incoming or outgoing data. Problems related to NAT and DNS can be tracked by analysing the SDP packet data. In absence of a graphical interface utilities like TCP dump can redirect the data to a file, wireshark can be used to analyse this file. Wireshark can also save its output dump into a file, which can be used for logging or reporting purpose.

Furthermore, Wireshark can be used to obtain QoS statistics. The RTP data stream statistics can reveal information about jitter, delay etc. For lost packets the individual packet details may reveal the details of cause of trouble; for example the packets with wrong sequence number can be a reason for packet loss. There is no exact procedure for analysing SIP problems, but wireshark provides dedicated methods for telephony. These methods can point out the possible area of trouble. Further troubleshooting can help in revealing exact nature of the problem.