...
You will see something similar to the example below appear in your filter display:
sip.Call-ID == "1963614536_81294881@76.10.193.110"
Audio Filtering:
If you need to review the media stream you will need to ensure you have both the SIP and RTP stream.
Below are two methods for filtering a capture down to obtain the media:
Method 1:
Select 'voip calls' in the wireshark telephony menu,
Locating the call in question and clicking 'flow sequence'.
From there you can open up the INVITE packet, expand the SIP portion and then the message header.
This point you would want to select and then right click the Call-ID, go to 'prepare filter' and then click 'selected'.
After this you would want to select the first RTP stream from the call ladder, expand
'real-time transport protocol' right click the 'synchronization source identifier', go to ' prepare filter' once again however you would want to select '...or selected', and repeat the same process for the other RTP stream.
Once you apply the filter you can save the call from the File > Export Specified Packets menu, enter a name for the file and make sure the 'Displayed' radio button is selected.
Click 'Save'
Method 2:
In the filter bar use the To and/or From filter to find the call in question. ● Go to the Invite
> Session Initiation Protocol (INVITE) > Message Header ● Right click Call ID and select Apply as Filter > Selected .
● This has isolated the call but only the SIP. We need the audio.
● Still under the Invite go to Message Body > Session Description Protocol ●
You will see a field labeled Media Description, name and address (m): audio ●
At the end of audio is the port of the media.You At the
● In the filter above add 'or udp.port==' followed by the port number but do not hit enter ● Look for the 200 OK and repeat the process of obtaining the UPD port.
Now hit enter. You should have the capture filtered down to the specific call.
To export the capture go to File > Export Specified Packets and name the file.
...
Hit Save