VoIP Packet Analysis using WireShark

WireShark is a useful tool to analyze VoIP(Voice over Internet Protocol) and it provides SIP analysis functions. Let’s start learning about this.

To analyze the VoIP network transport, WireShark can be used to capture the packet and to extract the voice data. The first step before analyzing is to capture the VoIP packet, it needs ARP spoofing or other ways to capture the other device’s VoIP packet.

SIP Authentication

SIP Authentication, when a user is authenticating VoIP with username, password, these packets are as follows.

Username is sent a plaintext, but password is operated with other data(as follows) and hashed. This hash data is sent a value of ‘response’ header.

Response Operation
Response = md5(A1:nonce:A2)
A1 = unq(username-value) “:” unq(realm-value) “:” passwd
   = md5(username:realm:password)
A2 = Method “:” digest-uri-value
   = md5(method:url)
#SIP Authentication mechanisms are described in ‘HTTP Authentication: Basic and Digest Access Authentication’(RFC 2617)

Extract the Voice Call Data 

To Extract the voice call data, you can use extract feature of Wireshark.

When you done capturing packet, select the menu “Telephony” → “VoIP calls”

You can see the VoIP calls, talk times, source(sip or phone number), destination and state sections on the dialog. There is only 1 call on my example. Select call and click the “Player” button.

Next click “Decode”!! Start changing packet data to voice data.

Now, you can see the voice call data and you can also listen the voice of calls. First wave is a voice from opponent and second wave is your voice. Click an each waves and play.

If the voice call data were encrypted like SSL, this decode function is not working. This function can only analyze not encrypted RTP data.