Sniffing VOIP with Wireshark

“VOIP is pretty secure.” How many of us have heard this before?

Let’s fire up wireshark (found here on *nix and windows, it is a network protocol analyzer that does some cool stuff, really easy!)

First, a little background into VOIP; we use essentially three types of protocols for VOIP: Management, Media, and Auxiliary. Essentially, when Josh picks up his voip phone to call Jared on his voip phone, Josh first connects to a central management server which contacts Jared’s management server, and they work out the connection details. (Protocols, etc.) H.323 and SIP are the protocols most used in this phase.

After negotiating the details of the connection, Josh’s and Jared’s phones connect directly–This is the second group of protocols–Usually using RIP, or something like it. The third groups of protocols are the auxiliary protocols: transport, etc Usually UDP is used, but TCP could be used if you really wanted it too. (Yes, it has error correction built in, but if it has to re-send a packet, a couple milli-seconds later, think about what that will do to a latency-sensitive application like VOIP–This is why the stateless protocol UDP is usually used)

So after our background into VOIP, let’s take a look at sniffing it. Wireshark can analyze the majority of the most-used VOIP protocols, and is very useful for troubleshooting issues with your VOIP implementation. Once we have captured a VOIP stream or two, we can have Wireshark search for VOIP Calls

We can then select one of the streams and graph it, to get a better picture of how the call was actually made.

Next, we can exit out of that, and look for any RTP frames (remember, Real Time Protocol is the media protocol for the actual conversation itself) and do an analysis on it. Once the analysis comes up, we can select “Save Payload”, and have it extract the audio from the RTP stream and save it as an .au, to listen in the media player of your choice.

Wireshark is a very good tool to use for troubleshooting your VOIP network, as well as listening in to the occasional call; of course, this could be mitigated very easy by using something like IPsec in your lan.


Tagged ,

5 thoughts on “Sniffing VOIP with Wireshark

  1. Gustavo says:

    Do you know something about TLS and SRTP? I doubt it. A lot of providers and users are using now SIP TLS and securing RTP with crypt apps.


  2. admin says:

    Hello Gustavo,
    You bring up a good point. I agree that providers are starting to use more secure protocols such as SRTP, ZRTP but since SRTP is still a relatively recent RFC (2004), it still is not widely in use. Besides that, there are still big companies, like Vonage, that are still using RTP, and no encryption. In other words, it is still very easy to eavesdrop on the data stream and extract the audio from it.


  3. […] public links >> wireshark Sniffing VOIP with Wireshark First saved by The13thReaper | 2 days ago WIRESHARK 1.0.2 – 21.16mb (open source) First saved […]


  4. […] Josh Brower’s musings on sniffing VoIP with Wireshark. […]


  5. […] saat Menjalankan Command wireshark di Ubuntu 8.04>> saved by wiredinstructor 38 days ago2 votesSniffing VOIP with Wireshark>> saved by my4cheese 40 days ago6 votesErrata Security: Wireshark “TurboCap”>> saved by […]


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s