In this digital era, most of the information is transmitted over a network and for this reason the network must be secure so that an attacker does not sniff the essential information so to solve this problem network engineers developed network analyzing tools so to block the security holes in the network and to monitor safe data transfer. One such tool is Wireshark which is used widely due to its open source nature and easy to use interface. It can be easily used on Windows system along with Linux and macOS.

SIP or Session Initiation Protocol can be defined as a signaling protocol which works with many other protocols on application layer for starting, maintaining and ending the communication sessions among different devices. This protocol is used in sending messages from one device to another or calling using LTE or VoLTE.

SIP Flows Window in Wireshark:

It is a window in Wireshark that shows data related to SIP transactions by working with VoIP Calls over the network. It can contain message, audio, or video data packets. Basically it is used to record all the multimedia communication sessions. It shows all the transactions either completed or in progress. Protocols used with SIP are ISUP, MGCP/MEGACO, SKINNY, UNISTIM etc. It can be found under the Telephony tab in Wireshark, see the below image.

After it clicks on SIP Flows window appears with captured SIP transactions

As this protocol is similar to VoIP so all the fields are same as in VoIP calls windows which are

• Start Time: It depicts the time when Wireshark starts capturing SIP transactions.
• Stop Time: It depicts the time when Wireshark stopped capturing SIP transactions.
• Initial Speaker: It shows the IP address of the speaker either call receiver or sender.
• From: It contains the IP address and other information related to the sender.
• To: It contains the receiver’s IP address and related information.
• Protocol: It shows the protocol used in SIP transactions, some supported protocols are SIP, H323, ISUP, MGCP, UNISTIM, etc.
• Duration: It shows the time period till the call ends or Wireshark stopped capturing data packets. 
• Packets: It shows the count of captured data packets.
• State: It depicts the state of the call like completed, call setup etc.
• Comments: Wireshark gives comments about the status of the call so that the packet analyzer can understand it easily.

Captured Result:

In the above captured traffic it can be seen that SIP protocol is used, and the state is REJECTED or CANCELED. Comments can be seen for each SIP packet along with sender’s and receiver’s information. Along with this information, there is a filter option that allows users to filter these SIP transactions on different parameters for deep analysis. Users can also copy the captured data in CSV or YAML format.

Conclusion:

In this article we have captured the SIP data using Wireshark and analyzed it for study purpose. It is clear that SIP protocol is used for making requests and sending reply in return to the requests. Traffic can be seen on the main window along with other captured data but for separating the SIP traffic, one can use SIP flows window.