- Tcpdump is a command-line packet analyzer, It has a lot of cool features to capture the network traffic. Let’s see the command to capture the SIP and RTP traffic using the Tcpdump.
Capturing only SIP traffic using the Tcpdump:
tcpdump -i any -n -s 0 port 5060 -vvv -w /tmp/capture_file_name.pcap
-i = interface you want to capture on, eno0, eno1, eno2, etc, for all you can add any. you will want to do this on your public interface most likely.
-n = Do not convert IP addresses to names, preventing DNS lookups.
-s = How many bytes of data to grab from each packet, zero means use the required length to catch whole packets.
port = What port to listen to, 5060 is the default port for SIP.
-vvv = Even more, verbose output, this will give you as many details as possible.
-w = Write to a raw file to be parsed later.
You can also Capture SIP Traffic to Console in ASCII format using the following command.
tcpdump -n -q -tttt -s 0 -A -i eno1 port 5060
Capturing SIP and RTP traffic and saving it to pcap file:
tcpdump -i eno1 udp port 5060 or udp portrange 10000-20000 -s 0 -w /tmp/filename.cap
Note: My SIP server listening on default port 5060, My RTP ports are 10000 to 20000. So change these ports according to your environment.
Now we have the entire capture in pcap file, You can open it using Wireshark for further analysis.
tcpdump -i any udp port 5060 or udp portrange 16384-32768 -s 0 -w govind.cap