SIP Flow

How to capture a SIP trace with tcpdump

CLI tools.pcap.pcapng

`tcpdump` is the lowest-common-denominator packet capture tool — installed on virtually every Linux/BSD/macOS box. It can't dissect SIP itself, but it produces clean .pcap files that SIP Flow, Wireshark, and sngrep all read natively. Reach for it first when you're triaging a server you've never touched before.

When to reach for this

  • You're on a box where you can't (or won't) install Wireshark / sngrep
  • You need to start a capture in 5 seconds without thinking about it
  • You want a pcap to hand off to a colleague or vendor support ticket

Before you start

  • `tcpdump` installed (it almost always is)
  • Root or `cap_net_raw` capability
  • Interface name (`ip -br a`, `ifconfig`, or `tcpdump -D`)

Steps

  1. 1

    Confirm the interface

    List interfaces tcpdump can see. Pick the one carrying SIP — usually the LAN-side NIC of your PBX/SBC, not the management one. 

    sudo tcpdump -D
  2. 2

    Capture SIP to a pcap

    The classic one-liner. UDP+TCP on 5060, plus TLS on 5061. `-s 0` ensures full packets (otherwise SIP messages with big bodies get truncated). `-w` writes raw libpcap format. 

    sudo tcpdump -i eth0 -s 0 -w /tmp/sip.pcap 'udp port 5060 or tcp port 5060 or tcp port 5061'
  3. 3

    Capture only one peer

    When the box talks to many endpoints, narrow by host to keep the pcap small and focused. 

    sudo tcpdump -i eth0 -s 0 -w /tmp/sip-vendor.pcap 'host 203.0.113.42 and (udp port 5060 or tcp port 5060)'
  4. 4

    Rotate large captures

    For long captures, rotate by size and keep a fixed history. Combine `-C` (megabytes per file) with `-W` (file count) for a ring buffer. 

    sudo tcpdump -i eth0 -s 0 -C 50 -W 20 -w /tmp/sip.pcap 'port 5060 or port 5061'
  5. 5

    Quick eyeball without writing a file

    Need to confirm SIP is even on the wire? `-A` prints ASCII so you can see INVITE / 200 OK fly by. Stop capturing as soon as you've seen what you need and switch to `-w`. 

    sudo tcpdump -i eth0 -nn -A 'port 5060'

Tips from people who've done this 1,000 times

  • Always pass `-s 0` (or omit `-s` on modern tcpdump) — default snaplen on old systems was 96 bytes, which truncates SIP
  • Use `-vvv` plus `-X` for hex+ASCII dumps when you suspect non-printable characters in headers
  • `tcpdump -r file.pcap -w sip-only.pcap 'port 5060 or port 5061'` slims an existing fat capture without Wireshark

Pitfalls

  • On Linux, capturing on a `bond` or `br` device may double-count or miss frames; capture the underlying NIC
  • tcpdump can't decrypt TLS — for 5061 you need to capture before TLS terminates, or grab the trace from the SBC after decryption
  • macOS `pktap` interfaces sometimes need `-i any` to see all SIP; on Linux `-i any` works but won't capture VLAN tags correctly

Got the trace? Render the ladder.

Drop your tcpdumpexport into SIP Flow and we'll render the call flow, surface RFC issues, and (optionally) ask SipFlow AI to explain what went wrong — all client-side by default.

Open analyzer

Related capture guides

Capture from a different tool

SIP Flow · Free, private SIP/VoIP analyzer

Core utility runs entirely in your browser. AI debugging is opt-in and pseudonymizes by default.

ContactPrivacy