Getting Started With Lync and Wireshark: Tips & Quirks

Hopefully this can jump start those who are just starting to use wireshark and maybe give a tip or two to those of us that have been using it for some time. We’ll start by getting Wireshark setup to look at Lync traffic, then we’ll find a call.

Making sure Wireshark Detects RTP Packets

If you want to make sure RTP streams are detected as RTP (and not UDP) in Wireshark, goto Edit | Preferences | Protocols | RTP and enable “Try to decode RTP outside of conversations”


PowerTip: In most lists in Wireshark you can save time and scrolling by typing list value to jump to an entry. In the case of the “Protocol” just click the + and start typing the protocol you want to jump to. (in our case “SSL”). This works in many lists in Wireshark.


Making Sure Wireshark Detects All SIP Packets

To make sure SIP traffic that is not using port 5060 is detected as SIP goto Edit | Preferences | Protocols | SIP and in “SIP TCP Ports” enter your range of TCP ports.


Show Source and Destination Ports in Packet List Pane

So you can nicely see RTP ports being used for media you will likely want add Source & Destination port columns in the packet list. Goto Edit | Preferences | User Interface – Columns | Add

Destination Port and Source Port. To change the column Title you double click right on the title text in the grid. If you want to move the position of the column


Now you will have the Ports in your packet list panel.


Change the Time Date Format to Your Preference


Finding a Call or Invite

There are several ways to find a call

  • Filter for the phone number or invites
  • Use the VoIP Calls and Flow window

Using the filter method you can just search for the phone number using something like: sip contains “8005551212:”

Or you can use the VoIP Calls window by going Telephony | VoIP Calls.  (Wireshark will take some time to Recalculate the statistic…)

Now you can visually pick out the call by phone number or caller name.


Now you can click Flow to see the SIP “ladder”


If you click on a line, the packet will be centered and highlighted in the Wireshark packet list window. (you may need to click on it to show packet details in some scenarios)

Listening to Unencrypted Call

At this point we can listen to the call by clicking on “Player”. The RTP player dialog will popup and you click “Decode”


Now select the two sides of RTP media and click “Play”


The RTP player is not your smooth user interface MP3 player software. It has several quirks I’ve noticed:

  • When it reaches the end of the audio the Pause and Stop buttons are still enabled even though they are not relevant. You need to press Stop then Play again to Play again.
  • If you want to start playing part way through the RTP stream there is no Selector, just click and have faith that you clicked the correct place. There is not always a distinct line where the audio is at when you start playing in the middle…
  • If you start playing from the beginning there will be light lines (shown below) indicating what has been already played. You can click “Pause”.


NOTE: In the above RTP player stream you will notice a yellow line with a “W”. What does this mean? (source)

  • D = Dropped by jitter
  • W = Wrong timestamp
  • S = Silence inserted

How to Save Audio

You can save the audio of an RTP stream. Just select a packet of the RTP stream in the Wireshark packet list and then goto Telephony | RTP | Stream Analysis


The RTP Stream Analysis window will be shown.


Now click “Save Payload”. Type in a name of the file, along with .AU extension. (the .AU extension is not automatically added). Also check “.au” and “both” and “OK” to save.


You can double click on the resulting file and play back using Windows Media player.


How to Filter SIP Traffic for One Call

Select the SIP INVITE of the call you want to isolate. In the MESSAGE HEADER of the SIP INVITE select the Call-ID entry and right click | Prepare a Filter | Selected


In the Filter you will now see something that looks like the below:


sip.Call-ID == "305ec9e7-d9ae-437c-b20a-58333d919ce2"

Adding Media

In the SDP of the INVITE and the PROGRESS or OK you will find the port numbers you need to filter for:


Now add "or udp.port == 56789 or udp.port == 6600” ,replacing highlight with your call RTP/UDP ports so that complete filter looks like:

sip.Call-ID == "305ec9e7-d9ae-437c-b20a-58333d919ce2" or udp.port == 56789 or udp.port == 6600

Now to save just this call: File | Export Specified Packets


Common Filters
  • sip contains “INVITE sip:”
  • sip.Call-ID == “
  • udp.port == 56789 or udp.port == 6600
  • ip.addr ==
  • tcp.port eq 5061
  • udp.dstport == 10150 or tcp.dstport == 10150
    • destination port regardless of protocol/tcp-udp
Investigating BYE’s

Ended Normally by PRI/ISDN Channel


By Lync user


Random Tips

Sometimes the call flow window has black on black colors for some reason. Just click on a particular packet to see it.


Other Great Wireshark/Lync Posts:

Jeff Schertz Tips:

Lync Dialog:


Wireshark / Lync Tools:

Related to VoIP and Ethernet:


  1. Hi Matt,

    I followed the article however I am not able to see RTP stream being captured in lync audio call. I have taken trace on client and front end server. Can you kindly let me know how can i get the audio capture from lync using wireshark. I have also posted the question technet lync forum

  2. Hi Matt,

    I am not able to capture the call in wireshark. I called a DID number from my Lync client and tried to trace out RTP packet but I am not finding it. Please suggest.