How to capture a SIP trace with Wireshark
Wireshark is the de-facto GUI packet analyzer. It can live-capture on any interface, filter SIP/RTP, and export to .pcap or .pcapng — the formats SIP Flow understands natively.
When to reach for this
- You can install software on the machine that sees the SIP traffic
- You want to verify SIP is actually on the wire before debugging deeper
- You already have a .pcap from someone else and need to inspect or trim it
Before you start
- Wireshark 4.x (Linux, macOS, or Windows)
- Permission to capture on the interface — root/Administrator, or membership in the `wireshark` group on Linux
- You know which interface the SIP traffic crosses (`ip a` / `ifconfig` / `ipconfig`)
Steps
- 1
Pick the right capture interface
Open Wireshark and choose Capture → Options. Pick the NIC the SIP signalling actually crosses — usually the one with the PBX's LAN IP. Capturing on `lo` / `loopback` only works if both legs of the call live on the same host.
- 2
Apply a SIP capture filter
Capture filters use BPF syntax and run in the kernel, so they keep the file small. This grabs SIP over UDP, TCP, and TLS on the standard ports.
udp port 5060 or tcp port 5060 or tcp port 5061 - 3
Start capture and reproduce the call
Click Start, place (or wait for) the failing call, then stop capture. Keep the window short — 30 seconds of one bad call is worth more than 10 minutes of mixed traffic.
- 4
Sanity-check with a display filter
Switch to a display filter to confirm SIP is in the file. If you see zero hits, you captured on the wrong interface or VLAN.
sip || sip.Method - 5
Export to .pcap
File → Save As, choose `Wireshark/tcpdump - pcap` (not pcapng) if you want maximum compatibility with sngrep, tshark on older systems, and most carrier ticket tooling. SIP Flow happily accepts either.
Tips from people who've done this 1,000 times
- For TLS on 5061 you need the server's private key (RSA only) or a TLS keylog file — set it under Edit → Preferences → Protocols → TLS
- Use `Telephony → VoIP Calls` to get a quick ladder before you even leave Wireshark
- Right-click any SIP packet → `Follow → SIP Stream` to see only that dialog
Pitfalls
- Capturing on the WAN interface when the SIP trunk lives behind a NAT router (you'll only see encrypted/STUN traffic)
- Forgetting that pcapng is fine but some PBX vendor support portals still reject it — keep a .pcap copy if you're filing a ticket
- Saving with a display filter applied does NOT trim the file unless you use File → Export Specified Packets
Got the trace? Render the ladder.
Drop your Wireshark export into SIP Flow and we'll render the call flow, surface RFC issues, and (optionally) ask Gemini to explain what went wrong — all client-side by default.
Open analyzer