9.2. Playing VoIP Calls

The tool for playing VoIP calls is called RTP Player. It shows RTP streams and its waveforms, allows play stream and export it as audio or payload to file. Its capabilities depend on supported codecs.

9.2.1. Supported codecs

RTP Player is able to play any codec supported by an installed plugin. The codecs supported by RTP Player depend on the version of Wireshark you’re using. The official builds contain all of the plugins maintained by the Wireshark developers, but custom/distribution builds might not include some of those codecs. To check your Wireshark installation’s installed codec plugins, do the following:

  • Open HelpAbout Wireshark window
  • Select the Plugins tab
  • In the Filter by type menu on the top-right, select codec

Figure 9.1. List of supported codecs

ws about codecs

9.2.2. Work with RTP streams - Playlist

Wireshark can be used for RTP stream analysis. User can select one or more streams which can be played later. RTP Player window maintains playlist (list of RTP streams) for this purpose.

Playlist is created empty when RTP Player window is opened and destroyed when window is closed. RTP Player window can be opened on background when not needed and put to front later. During its live, playlist is maintained.

When RTP Player window is opened, playlist can be modified from other tools (Wireshark windows) in three ways:

  • button Play StreamsSet playlist clears existing playlist and adds streams selected in the tool.
  • button Play StreamsAdd to playlist adds streams selected in the tool to playlist. Duplicated streams are not inserted again.
  • button Play StreamsRemove from playlist removes streams selected in the tool from playlist, if they are in the playlist.

Figure 9.2. Play Streams button with opened action menu

ws tel rtp player button

Play Streams button can be clicked directly and opens RTP Player window directly with Set playlist action. All actions can be selected with the small down arrow next to the button.

When the playlist is empty, there is no difference between Set playlist and Add to playlist. When the RTP Player window is not opened, all three actions above open it.

Remove from playlist is useful e.g. in case user selected all RTP streams and wants to remove RTP streams from specific calls found with VoIPCalls.

Tools below can be used to maintain content of playlist, they contain Play Streams button. You can use one of procedures (Note: Add to playlist action is demonstrated):

  • Open TelephonyRTPRTP Streams window, it will show all streams in the capture. Select one or more streams and then press Play Streams. Selected streams are added to playlist.
  • Select any RTP packet in packet list, open TelephonyRTPStream Analysis window. It will show analysis of selected forward stream and its reverse stream (if Ctrl is pressed during window opening). Then press Play Streams. Forward and reverse stream is added to playlist.

    • RTP Stream Analysis window can be opened from other tools too.
  • Open TelephonyVoIP Calls or TelephonySIP Flows window, it will show all calls. Select one or more calls and then press Play Streams. It will add all RTP streams related to selected calls to playlist.
  • Open Flow Sequence window in TelephonyVoIP Calls or TelephonySIP Flows window, it will show flow sequence of calls. Select any RTP stream and then press Play Streams. It will add selected RTP stream to playlist.

Figure 9.3. Tools for modifying playlist in RTP Player window

ws tel playlist


Same approach with set/add/remove actions is used for RTP Stream Analysis window. The playlist is there handled as different tabs in the window, see RTP Stream Analysis window.

9.2.3. Playing audio during live capture

Decoding RTP payload and showing waveforms is time consuming task. To speedup it RTP Player window uses copy of packet payload for all streams in the playlist. During live capture the dialog is not refreshed automatically as other Wireshark dialogs, but user must initiate it.

The copy is created or refreshed and dialog updated:

  • Every time window is opened.
  • Every time a new stream is added or set.
  • During live capture, when Refresh streams is pressed.
  • Every time live capture is finished/stopped by a user.

When capture file is opened (no live capturing), streams are read complete, no user action is required. Button Refresh streams is disabled as it is useless.

When live capture is running, streams are read only till "now" and are shown. When stream is continuous and user would like to see additional part, they must press Refresh stream. When the user ends live capture, view is refreshed and button is disabled.


RTP Player dialog stays open even live capture is stopped and then started again. Play list stays unchanged. Therefore, Refresh stream tries to read same streams as before and shows them if they are still running. Past part of them (from previous live capture) is lost.

9.2.4. RTP Decoding Settings

RTP is carried usually in UDP packets with random source and destination ports. Therefore, Wireshark can only recognize RTP streams based on VoIP signaling, e.g., based on SDP messages in SIP signaling. If signaling is not captured, Wireshark shows just UDP packets. However, there are multiple settings which help Wireshark recognize RTP even when there is no related signaling.

You can use Decode As…​ function from AnalyzeDecode As…​ menu or in mouse context menu. Here you can set that traffic on specific source or destination should be decoded as RTP. You can save settings for later use.

Use of Decode As…​ menu works fine, but is arduous for many streams.

You can enable heuristic dissector rtp_udp in AnalyzeEnabled Protocols…​. See Section 11.4, “Control Protocol Dissection” for details. Once rtp_udp is enabled, Wireshark tries to decode every UDP packet as RTP. If decoding is possible, packet (and entire UDP stream) is decoded as RTP.

When an RTP stream uses a well-known port, the heuristic dissector ignores it. So you might miss some RTP streams. You can enable setting for udp protocol PreferencesProtocolsudpTry heuristic sub-dissectors first, see Section 11.5, “Preferences”. In this case heuristics dissector tries to decode UDP packet even it uses a well-known port.


Take into account that heuristics is just simple "test" whether packet can be read as RTP. It can be false positive and you can see decoded as RTP more UDP packets than expected.

When you enable udpTry heuristic sub-dissectors first, it increases possibility of false positives. If you capture all traffic in network, false positives rate can be quite high.

RTP Player must store decoded data somewhere to be able to play it. When data are decoded, there are audio samples and dictionary for fast navigation. Both types of data are stored in memory for default, but you can configure Wireshark to store it on disk. There are two settings:

  • ui.rtp_player_use_disk1 - When set to FALSE (default), audio samples are kept in memory. When set to TRUE, audio samples are stored on temporary file.
  • ui.rtp_player_use_disk2 - When set to FALSE (default), dictionary is kept in memory. When set to TRUE, dictionary is stored on temporary file.

When any data are configured to be stored on disk, one file is created for each stream. Therefore, there might be up to two files for one RTP stream (audio samples and dictionary). If your OS or user has OS enforced limit for count of opened files (most of Unix/Linux systems), you can see fewer streams that was added to playlist. Warnings are printed on console in this case and you will see fewer streams in the playlist than you send to it from other tools.

For common use you can use default settings - store everything in memory. When you will be out of memory, switch ui.rtp_player_use_disk1 to TRUE first - it saves much more memory than ui.rtp_player_use_disk2.

9.2.5. VoIP Processing Performance and Related Limits

Processing of RTP and decoding RTP voice takes resources. There are raw estimates you can use as guidelines…​

RTP Streams window can show as many streams as found in the capture. Its performance is limited just by memory and CPU.

RTP Player can handle 1000+ streams, but take into account that waveforms are very small and difficult to recognize in this case.

RTP Player plays audio by OS sound system and OS is responsible for mixing audio when multiple streams are played. In many cases OS sound system has limited count of mixed streams it can play/mix. RTP Player tries to handle playback failures and show warning. If it happens, just mute some streams and start playback again.

RTP Analysis window can handle 1000+ streams, but it is difficult to use it with so many streams - it is difficult to navigate between them. It is expected that RTP Analysis window will be used for analysis of lower tens of streams.