How to capture a SIP trace with tshark
`tshark` is Wireshark's command-line sibling. It uses the same dissectors and capture filters as Wireshark, but runs headless, so it's the right tool for grabbing a clean SIP pcap from a server you can only reach over SSH.
When to reach for this
- You can SSH into the box that sees the SIP traffic but can't run a GUI
- You want Wireshark-grade dissection on a remote capture
- You're scripting capture into CI, a cron job, or a runbook
Before you start
- `tshark` installed (`apt install tshark` / `dnf install wireshark-cli` / `brew install wireshark`)
- Root or `cap_net_raw` (`sudo dpkg-reconfigure wireshark-common` to allow non-root capture on Debian/Ubuntu)
- You know which interface the SIP traffic crosses (`ip -br a`)
Steps
- 1
List capture interfaces
Confirm the device you want to sniff before you start. Don't guess — the wrong interface is the #1 cause of a "tshark captured nothing" ticket.
tshark -D - 2
Live-capture SIP to a pcap
Capture on the chosen interface with a kernel-level BPF filter so the file stays small. Standard SIP ports cover UDP, TCP, and TLS. Ctrl-C when you're done.
sudo tshark -i eth0 -f 'udp port 5060 or tcp port 5060 or tcp port 5061' -w /tmp/sip-capture.pcap - 3
Auto-rotate so long captures don't blow up the disk
For overnight captures, use a ring buffer of N files of M megabytes each. tshark deletes the oldest file as new ones fill up.
sudo tshark -i eth0 -f 'udp port 5060 or tcp port 5060' -b filesize:50000 -b files:10 -w /tmp/sip.pcap - 4
Read an existing pcap and pull out SIP only
Use a *display* filter (`-Y`) to slim a fat pcap down to just SIP. `-w` writes the matched packets to a new file you can drop into SIP Flow.
tshark -r /tmp/full.pcap -Y 'sip' -w /tmp/sip-only.pcap - 5
Print SIP messages as text
For a quick eyeball before opening SIP Flow, dump SIP packets with full message bodies straight to the terminal. Pipe to a file and SIP Flow will parse it as a text trace.
tshark -r /tmp/sip-capture.pcap -Y sip -V > /tmp/sip-trace.txt
Tips from people who've done this 1,000 times
- `-Y 'sip.Method == INVITE or sip.Status-Code'` filters to just call setup messages — great for triage
- For TLS on 5061, point `-o tls.keylog_file:/path/to/sslkeys.log` at a Wireshark-format keylog file
- Combine with `editcap` to slice a pcap by time range before sending it upstream
Pitfalls
- Capture filter (`-f`) is BPF and runs in the kernel; display filter (`-Y`) is Wireshark-syntax and runs after capture — don't mix them up
- On a busy host, default snaplen may truncate large SIP packets; pass `-s 0` to grab the whole thing
- tshark on bonded/bridge interfaces sees frames twice; capture the underlying NIC
Got the trace? Render the ladder.
Drop your tsharkexport into SIP Flow and we'll render the call flow, surface RFC issues, and (optionally) ask SipFlow AI to explain what went wrong — all client-side by default.
Open analyzer