Filtering a Wireshark Capture
Filter Active Captures
There is a myriad of syntax options that can be used when capturing packets. You can experiment with the syntax to determine what works best for you. We recommend that you filter less when creating the capture and then apply extra filters as needed when reading the capture.
Green or Red:
When attempting to add a filter to Wireshark, the filer display will either show red or green. If red then the filter request isn't correctly provided. If green then the filter request will be applied:
Working Filter
Not Working Filter:
As you can see, not capitalizing a letter is wrong and Wireshark will let you know.
SIP Filtering:
Filter Destination:
If we wanted to filter a capture to 877-478-6471 we would use the following:
sip.To contains 8774786471
Filter Source:
If you want to look for calls using a specific source number use:
sip.From contains 7247884018
Filtering Source and Destination:
To narrow down a call further we can look for the source and destination:
sip.From contains 7247884018 and sip.To contains 8774786471
Call ID:
Filtering by the Call ID will ensure you have obtained all SIP packets related to a specific call. You can find the Call ID by:
Selecting the Invite packet
Expand Session Initiation Protocol (INVITE)
Expand Message Header
Right-click Call-ID
Select Apply as Filter ...Selected
You will see something similar to the example below appear in your filter display:
sip.Call-ID == "1963614536_81294881@76.10.193.110"
Audio Filtering:
If you need to review the media stream you will need to ensure you have both the SIP and RTP stream.
Below are two methods for filtering a capture down to obtain the media:
Method 1:
Select 'voip calls' in the wireshark telephony menu,
Locating the call in question and clicking 'flow sequence'.
From there you can open up the INVITE packet, expand the SIP portion and then the message header.
This point you would want to select and then right click the Call-ID, go to 'prepare filter' and then click 'selected'.
After this you would want to select the first RTP stream from the call ladder, expand
'real-time transport protocol' right click the 'synchronization source identifier', go to ' prepare filter' once again however you would want to select '...or selected', and repeat the same process for the other RTP stream.
Once you apply the filter you can save the call from the File > Export Specified Packets menu, enter a name for the file and make sure the 'Displayed' radio button is selected.
Click 'Save'
Method 2:
In the filter bar use the To and/or From filter to find the call in question. ● Go to the Invite
> Session Initiation Protocol (INVITE) > Message Header ● Right click Call ID and select Apply as Filter > Selected .
● This has isolated the call but only the SIP. We need the audio.
● Still under the Invite go to Message Body > Session Description Protocol ●
You will see a field labeled Media Description, name and address (m): audio ●
At the end of audio is the port of the media.
● In the filter above add 'or udp.port==' followed by the port number but do not hit enter ● Look for the 200 OK and repeat the process of obtaining the UPD port.
Now hit enter. You should have the capture filtered down to the specific call.
To export the capture go to File > Export Specified Packets and name the file.
Hit Save