How to :Listen and extract audio from a wireshark trace

So you have your self a wireshark trace of a call with audio issues

If you dont know how to capture a wireshark trace from an MBG take alook at this post. It needs updating which i will do hopefully soon.

You have narrowed it down to the relevant time period by following this post and you want to listen to the audio.

But if it’s not a SIP call, this is not so easy as choosing “Telephoney/VOIP calls”.

This is what i have found so far. I am not saying its the best way or the quickest way. I am definaley not a wireshark expert!

The way i have been listening to these calls is by using the option in Wireshark to “decode as…”

I decode the UDP streams as RTP and then use the “RTP analyser” to play back and then export the audio as an “AU” file.

In the filter type “UDP.stream == 0”

Filter fro UDP.Stream Zero

Wireshark will then only display UDP packets for that stream

Right click on any line in the trace and choose “decode as…”

Right click, then choose “Decods as…”

In the window that pops up choose the new line “current” field and change from “none” to “RTP”

Change to RTP

Now wait for wireshark to do it’s bit. You wil see the progress bar at the bottom filling up. This takes long time on large PCAP files

Progress bar

Now choose Telephony/RTP/Stream Analysis

Below is what pops up. Right handside window you click “Play streams” The window on the left then pops up. You can then press play to listen to the audio in wireshark.

Or if you would like to save the audio to play back in a audio player such as “Media player” choose “Save”

The file will be in audio format “AU” To convert to the more popular and smaller MP3 you can use this online tool – https://convertio.co/

This is me performing the above steps

Watch me do it instead

Now if you listen to udp.stream 0 and it is not the call you were expecting it is very possible that you captured multiple calls in the trace

Simply repeat the above steps with udp.stream==1 and 2 and 3…e.t.c. instead of zero.

Possible issues/challenges

If you are trying to listen to a UDP stream on the outside of the MBG, teleworker server to remote phone, you will find the audio is encrypted and wont playback. The inside UDP stream of the same call will be unencryted.

To turn encryption off before running the wireshark capture you need to add some config to the MBG

For MBG/SRC (if using Direct Recording or Teleworker sets)
Add an override System Configuration>Overrides

  • Filename = tug.ini
  • Section = mbg
  • Parameter = disable_srtp
  • Content = 1
  • Restart tug (MBG Service)

After testing disable the override and restart tug again

Hope all this makes sense and helps someone. I know it will help me when i have forgotten it in 6 months time

Leave a Reply

Your email address will not be published. Required fields are marked *