Using tcpdump to troubleshoot SIP traffic

Linux and macOS include tcpdump which is used to capture live network traffic. With the right command options it’s easy to capture SIP call flows to view in Wireshark.

The following command is run on Red Hat Linux and listens for SIP traffic on port 5060 of the eth1 interface.

bwadmin@as1$ su
Password: ********
[root@as1 bwadmin]# tcpdump eth1 -w sip.pcap port 5060

Open the pcap in Wireshark and all SIP traffic captured will be displayed. Use the following filters to view specific calls.

sip:+4045551000@telepacific.com;tag=887s

tel:411

#show SIP packets To or From this number
sip contains 4045551000

#show SIP packets To this number
sip.To contains 4045551000

#show SIP packets From this number
sip.From contains 4045551000

Filter by SIP call-id

sip.Call-ID==20badbbf750c497a80d63ebb8a74a213

To save a specific call flow to its own pcap file user Save As > Displayed

If you need to view SIP calls in real-time on an IP PBX or SIP Softswitch platform you can use the tail command on the system’s log file that writes the SIP messages.

Here is an example with Broadsoft BroadWorks and the XSLog file.

bw_as1$ tail -f /var/broadworks/logs/appserver/XSLog2009.08.12-16.05.34.txt

As BroadWorks writes to the log file the output will be displayed in real-time in the Unix shell.