Capture and Analyse Voice Network Traffic Using Wireshark
Updated
Overview
Wireshark is a free, open-source network protocol analyzer that lets you capture and review network traffic on the machine where it is installed. By analyzing this traffic, you can understand how data flows between the agent, Sprinklr, and provider media servers, and diagnose issues such as poor call quality or failed connections.
Wireshark saves captured network traffic in PCAP (Packet Capture) files. These files can be shared with your network or voice team, or with Sprinklr Support, to investigate voice-related issues.
This article explains how contact center supervisors, network engineers, and support teams can:
Capture a PCAP using Wireshark
Identify the correct network interface
Analyze WebRTC-related traffic such as STUN, DTLS, RTP, and RTCP
To get started, download Wireshark from the Wireshark official site.
Common Use Cases
You can use Wireshark PCAP captures to investigate:
RTP media stream issues
Diagnose packet loss that causes choppy, delayed, or one-way audio.
Network connectivity issues
Check whether calls are failing due to blocked or unstable network paths.
STUN/TURN communication problems
Verify whether WebRTC can reach STUN (Session Traversal Utilities for NAT) and TURN (Traversal Using Relays around NAT) servers.
TLS/DTLS handshakes
Confirm secure handshake negotiation for encrypted media sessions.
Traffic routing and delays
Validate where traffic is going and whether latency or routing issues may be impacting call quality.
Capture a PCAP Using Wireshark for Voice Issues
Open Wireshark on the machine where you want to capture traffic.
You will see the Wireshark home screen listing available network interfaces (for example, Wi‑Fi or Ethernet). Each interface shows a moving activity graph representing live traffic.
In the example above, the system is connected over Wi‑Fi using the en0 interface, which is the primary wireless interface. If an Ethernet connection is active, it appears as a separate interface with its own activity line.
2. Understand Common Network Interfaces in Wireshark
Wireshark displays interfaces using system codes. Some common ones include:
en0 – Primary Wi‑Fi interface, typically the active wireless connection
en1, en2 – Additional Ethernet or network interfaces
utun0, utun1 – Virtual tunnel interfaces, often used by VPNs
lo0 – Loopback interface used for internal system communication
awdl0 – Apple Wireless Direct Link, used by features like AirDrop
bridge0 – Network bridge interface that connects multiple interfaces
For most agent machines, you will typically capture traffic on en0 (Wi‑Fi) or the active Ethernet interface.
3. Start Capturing Traffic
On the home screen, select the network interface you want to capture from (for example, en0).
Wireshark starts capturing traffic on that interface.
Each row represents a network packet, with columns showing:
Time – When the packet was captured
Source – IP address sending the packet
Destination – IP address receiving the packet
Protocol – Type of traffic (for example, TCP, UDP, STUN, DTLS, RTP)
Info – Brief description of the packet
New packets will continue to appear as long as capture is running.
With capture running, reproduce the issue:
Place a call in Sprinklr
Perform the steps that lead to audio or connectivity problems
4. Stop and Save the Capture
After reproducing the issue, click the Stop Capture button at the top.
To save the captured packets:
Go to File > Save As.
In the Save Capture As dialog, enter a file name.
Click Save.
The file is saved as a PCAP (or .pcapng) file, which you can share with your network team or Sprinklr Support.
5. Start a New PCAP (Optional)
To capture a new session:
Restart the Wireshark application, or
Click the Start Capture button again from the toolbar to begin a fresh capture.
Analyze PCAP Files for Voice and WebRTC
Once you have a PCAP, you can filter and analyze specific WebRTC-related protocols used by Sprinklr Voice and provider media servers.
STUN Traffic
STUN (Session Traversal Utilities for NAT) is used by WebRTC to discover public IP/port mappings and maintain connectivity.
Use the stun filter in Wireshark to show only STUN packets.
STUN packets typically appear in request–response pairs. You can identify them using the Transaction ID field.
These exchanges help confirm that the agent’s device can reach STUN servers and maintain WebRTC connectivity.
DTLS Handshake
DTLS (Datagram Transport Layer Security) is used to exchange encryption keys between peers and secure media traffic.
Use the dtls filter to view DTLS traffic.
The first few highlighted DTLS messages form the handshake sequence. A complete, successful handshake indicates that secure communication has been established between the two WebRTC endpoints.
RTP and RTCP Media Streams
RTP (Real-time Transport Protocol) carries the actual audio media.
RTCP (RTP Control Protocol) carries control information and quality metrics about the media stream.
To analyze RTP/RTCP:
Identify the relevant IP addresses and ports used for media.
You can obtain these from Sprinklr’s Voice Debug Console or session logs.
In Wireshark, click any packet that belongs to the suspected UDP media stream.
Right-click the packet and select Follow > UDP Stream to view all packets in that transport flow.
Decoding Encrypted RTP as RTP
When RTP packets are encrypted, Wireshark initially displays them as generic UDP packets. However, DTLS does not encrypt RTP headers, so you can still decode the stream as RTP for analysis.
Right-click one of the UDP packets in the media stream.
Select Decode As…
In the Decode As dialog:
In the Current column, select RTP for the chosen port (for example, source port 51309).
Click OK.
Wireshark then decodes UDP packets from that port as RTP packets, allowing you to inspect:
Sequence numbers
Jitter
Packet loss patterns
You can also use the srtcp filter to view Secure RTCP (SRTCP) packets if they are present in the capture.