Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Capture RTP and SIP Traffic using tcpdump

Tags:

rtp

tcpdump

sip

I need to capture SIP and RTP traffic to find a problem with something. I can capture SIP messages fine but am having a problem with capturing the RTP traffic.

I've tried the following but this is only getting out the SIP packages and no RTP.

tcpdump -T rtp -vvv src -s 1500 -i any -w /home/lantrace_test2.pcap port 5060

The other way I was thinking of doing it is as rtp uses a range of UDP ports, capturing the range that we are using for the RTP traffic but I can't find a way of capturing a range of ports so not sure if tcpdump supports port ranges for capture

Thanks for any help you can provide

like image 865
Boardy Avatar asked Jul 27 '12 10:07

Boardy


People also ask

How do I capture SIP packets in tcpdump?

Capturing only SIP traffic using the Tcpdump:-s = How many bytes of data to grab from each packet, zero means use the required length to catch whole packets. port = What port to listen to, 5060 is the default port for SIP. -vvv = Even more, verbose output, this will give you as many details as possible.

Does tcpdump capture ARP?

tcpdump Filter Packets – Capture all the packets other than arp and rarp.


1 Answers

Your SIP traffic runs over 5060, as you know, but the port on which to sniff RTP is described by the SDP bodies of the SIP messages. In other words, there's no way to know on which ports to sniff until the offer/answer exchange has completed.

If you know something about the user agents involved, then you could try tricks like capturing traffic on a range of ports. (Something like tcpdump -n dst portrange 10000-11000 for instance.)

like image 54
Frank Shearar Avatar answered Sep 18 '22 16:09

Frank Shearar