If we want to get a TCP Dump of everything on port 5060 we can use the following command.  This will create a file called capture.pcap in the tmp directory of everything on port 5060. If the file is bigger than 50MB it will start another file.
tcpdump -s0 -w/tmp/capture.pcap -C50 udp and port 5060

If we wanted to limit it to a specific IP address, like a phone or SIP carrier, we could do:
tcpdump -s0 -w/tmp/capture.pcap -C50 udp and port 5060 and host 129.33.194.122

To easily view the SIP transaction, load the PCAP into wireshark and goto Telephony -> VoIP Calls. Then select the session you want to look at and click “Flow.”  If you’ve captured the RTP traffic (Option: -T rtp), you may be able to play the audio of the call as well.

Run tcpdump in the background from a screen session so you can disconnect while it runs. This also tags the file name with the host name and timestamp.
screen -dm tcpdump -s0 -w/tmp/capture-dep`hostname -s`-`date +%Y%m%d-%H%M%Z`.pcap -C150 udp and port 5060
No labels