Using tcpdump to troubleshoot SIP traffic21 Jun 2011
Linux and macOS include
tcpdump which is used to capture live network traffic. With the right command options it’s easy to capture SIP call flows to view in Wireshark.
The following command is run on Red Hat Linux and listens for SIP traffic on
port 5060 of the
bwadmin@as1$ su Password: ******** [root@as1 bwadmin]# tcpdump eth1 -w sip.pcap port 5060
Open the pcap in Wireshark and all SIP traffic captured will be displayed. Use the following filters to view specific calls.
#show SIP packets To or From this number sip contains 4045551000 #show SIP packets To this number sip.To contains 4045551000 #show SIP packets From this number sip.From contains 4045551000
Filter by SIP call-id
To save a specific call flow to its own pcap file user
Save As > Displayed
If you need to view SIP calls in real-time on an IP PBX or SIP Softswitch platform you can use the
tail command on the system’s log file that writes the SIP messages.
Here is an example with Broadsoft BroadWorks and the XSLog file.
bw_as1$ tail -f /var/broadworks/logs/appserver/XSLog2009.08.12-16.05.34.txt
As BroadWorks writes to the log file the output will be displayed in real-time in the Unix shell.